Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.
This commit is contained in:
parent
628b6a6869
commit
d4dcd5b9dd
|
@ -165,7 +165,11 @@ class RegexPattern(CheckURLMixin):
|
||||||
self.converters = {}
|
self.converters = {}
|
||||||
|
|
||||||
def match(self, path):
|
def match(self, path):
|
||||||
match = self.regex.search(path)
|
match = (
|
||||||
|
self.regex.fullmatch(path)
|
||||||
|
if self._is_endpoint and self.regex.pattern.endswith('$')
|
||||||
|
else self.regex.search(path)
|
||||||
|
)
|
||||||
if match:
|
if match:
|
||||||
# If there are any named groups, use those as kwargs, ignoring
|
# If there are any named groups, use those as kwargs, ignoring
|
||||||
# non-named groups. Otherwise, pass all non-named arguments as
|
# non-named groups. Otherwise, pass all non-named arguments as
|
||||||
|
@ -255,7 +259,7 @@ def _route_to_regex(route, is_endpoint=False):
|
||||||
converters[parameter] = converter
|
converters[parameter] = converter
|
||||||
parts.append('(?P<' + parameter + '>' + converter.regex + ')')
|
parts.append('(?P<' + parameter + '>' + converter.regex + ')')
|
||||||
if is_endpoint:
|
if is_endpoint:
|
||||||
parts.append('$')
|
parts.append(r'\Z')
|
||||||
return ''.join(parts), converters
|
return ''.join(parts), converters
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -6,4 +6,8 @@ Django 2.2.25 release notes
|
||||||
|
|
||||||
Django 2.2.25 fixes a security issue with severity "low" in 2.2.24.
|
Django 2.2.25 fixes a security issue with severity "low" in 2.2.24.
|
||||||
|
|
||||||
...
|
CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
|
||||||
|
=================================================================================
|
||||||
|
|
||||||
|
HTTP requests for URLs with trailing newlines could bypass an upstream access
|
||||||
|
control based on URL paths.
|
||||||
|
|
|
@ -6,4 +6,8 @@ Django 3.1.14 release notes
|
||||||
|
|
||||||
Django 3.1.14 fixes a security issue with severity "low" in 3.1.13.
|
Django 3.1.14 fixes a security issue with severity "low" in 3.1.13.
|
||||||
|
|
||||||
...
|
CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
|
||||||
|
=================================================================================
|
||||||
|
|
||||||
|
HTTP requests for URLs with trailing newlines could bypass an upstream access
|
||||||
|
control based on URL paths.
|
||||||
|
|
|
@ -4,8 +4,13 @@ Django 3.2.10 release notes
|
||||||
|
|
||||||
*December 7, 2021*
|
*December 7, 2021*
|
||||||
|
|
||||||
Django 3.2.10 fixes a security issue with severity "low" and several bugs in
|
Django 3.2.10 fixes a security issue with severity "low" and a bug in 3.2.9.
|
||||||
3.2.9.
|
|
||||||
|
CVE-2021-44420: Potential bypass of an upstream access control based on URL paths
|
||||||
|
=================================================================================
|
||||||
|
|
||||||
|
HTTP requests for URLs with trailing newlines could bypass an upstream access
|
||||||
|
control based on URL paths.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
|
@ -169,6 +169,19 @@ class SimplifiedURLTests(SimpleTestCase):
|
||||||
match = p.resolve('space%s/1/' % string.whitespace)
|
match = p.resolve('space%s/1/' % string.whitespace)
|
||||||
self.assertEqual(match.kwargs, {'num': 1})
|
self.assertEqual(match.kwargs, {'num': 1})
|
||||||
|
|
||||||
|
def test_path_trailing_newlines(self):
|
||||||
|
tests = [
|
||||||
|
'/articles/2003/\n',
|
||||||
|
'/articles/2010/\n',
|
||||||
|
'/en/foo/\n',
|
||||||
|
'/included_urls/extra/\n',
|
||||||
|
'/regex/1/\n',
|
||||||
|
'/users/1/\n',
|
||||||
|
]
|
||||||
|
for url in tests:
|
||||||
|
with self.subTest(url=url), self.assertRaises(Resolver404):
|
||||||
|
resolve(url)
|
||||||
|
|
||||||
|
|
||||||
@override_settings(ROOT_URLCONF='urlpatterns.converter_urls')
|
@override_settings(ROOT_URLCONF='urlpatterns.converter_urls')
|
||||||
class ConverterTests(SimpleTestCase):
|
class ConverterTests(SimpleTestCase):
|
||||||
|
|
Loading…
Reference in New Issue