Skip to content

Commit 9d656ea

Browse files
adamchainzcarltongibson
adamchainz
authored and
carltongibson
committed
[4.1.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions.
Thanks to Benjamin Balder Bach for the report.
1 parent 7843c43 commit 9d656ea

File tree

5 files changed

+23
-3
lines changed

5 files changed

+23
-3
lines changed

django/urls/resolvers.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -346,7 +346,7 @@ def __init__(self, prefix_default_language=True):
346346
@property
347347
def regex(self):
348348
# This is only used by reverse() and cached in _reverse_dict.
349-
return re.compile(self.language_prefix)
349+
return re.compile(re.escape(self.language_prefix))
350350

351351
@property
352352
def language_prefix(self):

docs/releases/3.2.16.txt

+5-1
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,8 @@ Django 3.2.16 release notes
66

77
Django 3.2.16 fixes a security issue with severity "medium" in 3.2.15.
88

9-
...
9+
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
10+
===================================================================================
11+
12+
Internationalized URLs were subject to potential denial of service attack via
13+
the locale parameter.

docs/releases/4.0.8.txt

+5-1
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,8 @@ Django 4.0.8 release notes
66

77
Django 4.0.8 fixes a security issue with severity "medium" in 4.0.7.
88

9-
...
9+
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
10+
===================================================================================
11+
12+
Internationalized URLs were subject to potential denial of service attack via
13+
the locale parameter.

docs/releases/4.1.2.txt

+6
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@ Django 4.1.2 release notes
77
Django 4.1.2 fixes a security issue with severity "medium" and several bugs in
88
4.1.1.
99

10+
CVE-2022-41323: Potential denial-of-service vulnerability in internationalized URLs
11+
===================================================================================
12+
13+
Internationalized URLs were subject to potential denial of service attack via
14+
the locale parameter.
15+
1016
Bugfixes
1117
========
1218

tests/i18n/patterns/tests.py

+6
Original file line numberDiff line numberDiff line change
@@ -215,6 +215,12 @@ def test_reverse_translated_with_captured_kwargs(self):
215215
expected_link,
216216
)
217217

218+
def test_locale_not_interepreted_as_regex(self):
219+
with translation.override("e("):
220+
# Would previously error:
221+
# re.error: missing ), unterminated subpattern at position 1
222+
reverse("users")
223+
218224

219225
class URLNamespaceTests(URLTestCaseBase):
220226
"""

0 commit comments

Comments
 (0)