[4.1.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.

Thanks to Benjamin Balder Bach for the report.
This commit is contained in:
Adam Johnson 2022-09-02 09:44:05 +01:00 committed by Carlton Gibson
parent 7843c43c49
commit 9d656ea51d
5 changed files with 23 additions and 3 deletions

View File

@ -346,7 +346,7 @@ class LocalePrefixPattern:
@property @property
def regex(self): def regex(self):
# This is only used by reverse() and cached in _reverse_dict. # This is only used by reverse() and cached in _reverse_dict.
return re.compile(self.language_prefix) return re.compile(re.escape(self.language_prefix))
@property @property
def language_prefix(self): def language_prefix(self):

View File

@ -6,4 +6,8 @@ Django 3.2.16 release notes
Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15. Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.
... CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
===================================================================================
Internationalized URLs were subject to potential denial of service attack via
the locale parameter.

View File

@ -6,4 +6,8 @@ Django 4.0.8 release notes
Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7. Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7.
... CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
===================================================================================
Internationalized URLs were subject to potential denial of service attack via
the locale parameter.

View File

@ -7,6 +7,12 @@ Django 4.1.2 release notes
Django 4.1.2 fixes a security issue with severity "medium" and several bugs in Django 4.1.2 fixes a security issue with severity "medium" and several bugs in
4.1.1. 4.1.1.
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
===================================================================================
Internationalized URLs were subject to potential denial of service attack via
the locale parameter.
Bugfixes Bugfixes
======== ========

View File

@ -215,6 +215,12 @@ class URLTranslationTests(URLTestCaseBase):
expected_link, expected_link,
) )
def test_locale_not_interepreted_as_regex(self):
with translation.override("e("):
# Would previously error:
# re.error: missing ), unterminated subpattern at position 1
reverse("users")
class URLNamespaceTests(URLTestCaseBase): class URLNamespaceTests(URLTestCaseBase):
""" """