Commit 8f9a4d3a authored by Shai Berger's avatar Shai Berger Committed by Tim Graham
Browse files

[1.8.x] Fixed catastrophic backtracking in URLValidator. 

Thanks João Silva for reporting the problem and Tim Graham for finding the
problematic RE and for review.

This is a security fix; disclosure to follow shortly.
parent 574dd5e0

django/core/validators.py

+1 −1
Original line number Diff line number Diff line
@@ -73,7 +73,7 @@ class URLValidator(RegexValidator): 


    # Host patterns

    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?'

    domain_re = r'(?:\.[a-z' + ul + r'0-9]+(?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9]+)*)*'

    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]*(?<!-))*'

    tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?'

    host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'

docs/releases/1.8.3.txt

+7 −0
Original line number Diff line number Diff line
@@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now 
stricter as it validates using a regular expression instead of simply casting

the value using ``int()`` and checking if an exception was raised.



Denial-of-service possibility in URL validation

===============================================



:class:`~django.core.validators.URLValidator` included a regular expression

that was extremely slow to evaluate against certain invalid inputs. This regular

expression has been simplified and optimized.



Bugfixes

========

tests/validators/invalid_urls.txt

+2 −0
Original line number Diff line number Diff line
@@ -35,6 +35,8 @@ http://foo.bar/foo(bar)baz quux 
http://-error-.invalid/

http://-a.b.co

http://a.b-.co

http://a.-b.co

http://a.b-.c.co

http:/

http://

http://

tests/validators/tests.py

+3 −0
Original line number Diff line number Diff line
@@ -172,6 +172,9 @@ TEST_DATA = [ 
    # Trailing newlines not accepted

    (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),

    (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),

    # Trailing junk does not take forever to reject

    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),

    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),



    (BaseValidator(True), True, None),

    (BaseValidator(True), False, ValidationError),

tests/validators/valid_urls.txt

+1 −0
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ http://www.example.com/ 
http://www.example.com:8000/test

http://valid-with-hyphens.com/

http://subdomain.example.com/

http://a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

http://200.8.9.10/

http://200.8.9.10:8000/test

http://su--b.valid-----hyphens.com/