Commit 17d3a6d8 authored by Shai Berger's avatar Shai Berger Committed by Tim Graham
Browse files

Fixed catastrophic backtracking in URLValidator. 

Thanks João Silva for reporting the problem and Tim Graham for finding the
problematic RE and for review.

This is a security fix; disclosure to follow shortly.
parent 014247ad

django/core/validators.py

+1 −1
Original line number Diff line number Diff line
@@ -73,7 +73,7 @@ class URLValidator(RegexValidator): 


    # Host patterns

    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?'

    domain_re = r'(?:\.[a-z' + ul + r'0-9]+(?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9]+)*)*'

    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]*(?<!-))*'

    tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?'

    host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'

docs/releases/1.8.3.txt

+7 −0
Original line number Diff line number Diff line
@@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now 
stricter as it validates using a regular expression instead of simply casting

the value using ``int()`` and checking if an exception was raised.



Denial-of-service possibility in URL validation

===============================================



:class:`~django.core.validators.URLValidator` included a regular expression

that was extremely slow to evaluate against certain invalid inputs. This regular

expression has been simplified and optimized.



Bugfixes

========

tests/validators/invalid_urls.txt

+2 −0
Original line number Diff line number Diff line
@@ -35,6 +35,8 @@ http://foo.bar/foo(bar)baz quux 
http://-error-.invalid/

http://-a.b.co

http://a.b-.co

http://a.-b.co

http://a.b-.c.co

http:/

http://

http://

tests/validators/tests.py

+3 −0
Original line number Diff line number Diff line
@@ -188,6 +188,9 @@ TEST_DATA = [ 
    # Trailing newlines not accepted

    (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),

    (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),

    # Trailing junk does not take forever to reject

    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),

    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),



    (BaseValidator(True), True, None),

    (BaseValidator(True), False, ValidationError),

tests/validators/valid_urls.txt

+1 −0
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ http://www.example.com/ 
http://www.example.com:8000/test

http://valid-with-hyphens.com/

http://subdomain.example.com/

http://a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

http://200.8.9.10/

http://200.8.9.10:8000/test

http://su--b.valid-----hyphens.com/