[4.1.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.
Thanks to Benjamin Balder Bach for the report.
This commit is contained in:
parent
7843c43c49
commit
9d656ea51d
|
@ -346,7 +346,7 @@ class LocalePrefixPattern:
|
||||||
@property
|
@property
|
||||||
def regex(self):
|
def regex(self):
|
||||||
# This is only used by reverse() and cached in _reverse_dict.
|
# This is only used by reverse() and cached in _reverse_dict.
|
||||||
return re.compile(self.language_prefix)
|
return re.compile(re.escape(self.language_prefix))
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def language_prefix(self):
|
def language_prefix(self):
|
||||||
|
|
|
@ -6,4 +6,8 @@ Django 3.2.16 release notes
|
||||||
|
|
||||||
Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.
|
Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.
|
||||||
|
|
||||||
...
|
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
|
||||||
|
===================================================================================
|
||||||
|
|
||||||
|
Internationalized URLs were subject to potential denial of service attack via
|
||||||
|
the locale parameter.
|
||||||
|
|
|
@ -6,4 +6,8 @@ Django 4.0.8 release notes
|
||||||
|
|
||||||
Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7.
|
Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7.
|
||||||
|
|
||||||
...
|
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
|
||||||
|
===================================================================================
|
||||||
|
|
||||||
|
Internationalized URLs were subject to potential denial of service attack via
|
||||||
|
the locale parameter.
|
||||||
|
|
|
@ -7,6 +7,12 @@ Django 4.1.2 release notes
|
||||||
Django 4.1.2 fixes a security issue with severity "medium" and several bugs in
|
Django 4.1.2 fixes a security issue with severity "medium" and several bugs in
|
||||||
4.1.1.
|
4.1.1.
|
||||||
|
|
||||||
|
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
|
||||||
|
===================================================================================
|
||||||
|
|
||||||
|
Internationalized URLs were subject to potential denial of service attack via
|
||||||
|
the locale parameter.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
||||||
|
|
|
@ -215,6 +215,12 @@ class URLTranslationTests(URLTestCaseBase):
|
||||||
expected_link,
|
expected_link,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_locale_not_interepreted_as_regex(self):
|
||||||
|
with translation.override("e("):
|
||||||
|
# Would previously error:
|
||||||
|
# re.error: missing ), unterminated subpattern at position 1
|
||||||
|
reverse("users")
|
||||||
|
|
||||||
|
|
||||||
class URLNamespaceTests(URLTestCaseBase):
|
class URLNamespaceTests(URLTestCaseBase):
|
||||||
"""
|
"""
|
||||||
|
|
Loading…
Reference in New Issue