mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.
Thanks to Benjamin Balder Bach for the report.
This commit is contained in:
parent
4771a1694b
commit
e5ea284294
@ -346,7 +346,7 @@ class LocalePrefixPattern:
|
||||
@property
|
||||
def regex(self):
|
||||
# This is only used by reverse() and cached in _reverse_dict.
|
||||
return re.compile(self.language_prefix)
|
||||
return re.compile(re.escape(self.language_prefix))
|
||||
|
||||
@property
|
||||
def language_prefix(self):
|
||||
|
@ -6,4 +6,8 @@ Django 3.2.16 release notes
|
||||
|
||||
Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.
|
||||
|
||||
...
|
||||
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
|
||||
===================================================================================
|
||||
|
||||
Internationalized URLs were subject to potential denial of service attack via
|
||||
the locale parameter.
|
||||
|
@ -6,4 +6,8 @@ Django 4.0.8 release notes
|
||||
|
||||
Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7.
|
||||
|
||||
...
|
||||
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
|
||||
===================================================================================
|
||||
|
||||
Internationalized URLs were subject to potential denial of service attack via
|
||||
the locale parameter.
|
||||
|
@ -7,6 +7,12 @@ Django 4.1.2 release notes
|
||||
Django 4.1.2 fixes a security issue with severity "medium" and several bugs in
|
||||
4.1.1.
|
||||
|
||||
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
|
||||
===================================================================================
|
||||
|
||||
Internationalized URLs were subject to potential denial of service attack via
|
||||
the locale parameter.
|
||||
|
||||
Bugfixes
|
||||
========
|
||||
|
||||
|
@ -215,6 +215,12 @@ class URLTranslationTests(URLTestCaseBase):
|
||||
expected_link,
|
||||
)
|
||||
|
||||
def test_locale_not_interepreted_as_regex(self):
|
||||
with translation.override("e("):
|
||||
# Would previously error:
|
||||
# re.error: missing ), unterminated subpattern at position 1
|
||||
reverse("users")
|
||||
|
||||
|
||||
class URLNamespaceTests(URLTestCaseBase):
|
||||
"""
|
||||
|
Loading…
Reference in New Issue
Block a user