File CVE-2021-33571.patch of Package python-Django

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-33571.patch of Package python-Django

From 048eb4f1ac4756a0ae496a77c10ee53a54a69d67 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Tue, 25 May 2021 11:57:59 +0200
Subject: [PATCH] [2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in
 IPv4 addresses.

validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384

---
 django/core/validators.py         | 14 +++++++++++++-
 docs/releases/2.2.24.txt          | 13 +++++++++++++
 tests/validators/invalid_urls.txt |  8 ++++++++
 tests/validators/tests.py         | 20 ++++++++++++++++++++
 tests/validators/valid_urls.txt   |  6 ++++++
 5 files changed, 60 insertions(+), 1 deletion(-)

diff --git a/django/core/validators.py b/django/core/validators.py
index ea18685fdb46..fb81fa80fc51 100644
--- a/django/core/validators.py
+++ b/django/core/validators.py
@@ -77,10 +77,10 @@ class RegexValidator(object):
 
 @deconstructible
 class URLValidator(RegexValidator):
-    ul = '\u00a1-\uffff'  # unicode letters range (must be a unicode string, not a raw string)
+    ul = '\u00a1-\uffff'  # unicode letters range (must not be a raw string)
 
     # IP patterns
-    ipv4_re = r'(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)(?:\.(?:25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
+    ipv4_re = r'(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)(?:\.(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)){3}'
     ipv6_re = r'\[[0-9a-f:\.]+\]'  # (simple regex, validated later)
 
     # Host patterns
@@ -253,9 +253,26 @@ validate_unicode_slug = RegexValidator(
     'invalid'
 )
 
-ipv4_re = _lazy_re_compile(r'^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|[0-1]?[0-9]?[0-9])){3}\Z')
-validate_ipv4_address = RegexValidator(ipv4_re, _('Enter a valid IPv4 address.'), 'invalid')
+ipv4_re = _lazy_re_compile(r'(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)(?:\.(?:0|25[0-5]|2[0-4]\d|1\d?\d?|[1-9]\d?)){3}')
+_validate_ipv4_address = RegexValidator(ipv4_re, _('Enter a valid IPv4 address.'), 'invalid')
 
+def validate_ipv4_address(value):
+    try:
+        _validate_ipv4_address(value)
+    except ValidationError:
+        raise ValidationError(_('Enter a valid IPv4 address.'), code='invalid')
+    else:
+        # Leading zeros are forbidden to avoid ambiguity with the octal
+        # notation. This restriction is included in Python 3.9.5+.
+        # TODO: Remove when dropping support for PY39.
+        if any(
+            octet != '0' and octet[0] == '0'
+            for octet in value.split('.')
+        ):
+            raise ValidationError(
+                _('Enter a valid IPv4 address.'),
+                code='invalid',
+            )
 
 def validate_ipv6_address(value):
     if not is_valid_ipv6_address(value):
diff --git a/tests/validators/invalid_urls.txt b/tests/validators/invalid_urls.txt
index 04a0b5fb1b5f..4cbaa55eb48e 100644
--- a/tests/validators/invalid_urls.txt
+++ b/tests/validators/invalid_urls.txt
@@ -46,6 +46,14 @@ http://1.1.1.1.1
 http://123.123.123
 http://3628126748
 http://123
+http://000.000.000.000
+http://016.016.016.016
+http://192.168.000.001
+http://01.2.3.4
+http://01.2.3.4
+http://1.02.3.4
+http://1.2.03.4
+http://1.2.3.04
 http://.www.foo.bar/
 http://.www.foo.bar./
 http://[::1:2::3]:8080/
diff --git a/tests/validators/tests.py b/tests/validators/tests.py
index 4ef8a524b121..5a544ab92ddb 100644
--- a/tests/validators/tests.py
+++ b/tests/validators/tests.py
@@ -140,6 +140,16 @@ TEST_DATA = [
     (validate_ipv4_address, '1.1.1.1\n', ValidationError),
     (validate_ipv4_address, '٧.2٥.3٣.243', ValidationError),
 
+    # Leading zeros are forbidden to avoid ambiguity with the octal notation.
+    (validate_ipv4_address, '000.000.000.000', ValidationError),
+    (validate_ipv4_address, '016.016.016.016', ValidationError),
+    (validate_ipv4_address, '192.168.000.001', ValidationError),
+    (validate_ipv4_address, '01.2.3.4', ValidationError),
+    (validate_ipv4_address, '01.2.3.4', ValidationError),
+    (validate_ipv4_address, '1.02.3.4', ValidationError),
+    (validate_ipv4_address, '1.2.03.4', ValidationError),
+    (validate_ipv4_address, '1.2.3.04', ValidationError),
+
     # validate_ipv6_address uses django.utils.ipv6, which
     # is tested in much greater detail in its own testcase
     (validate_ipv6_address, 'fe80::1', None),
@@ -165,6 +175,16 @@ TEST_DATA = [
     (validate_ipv46_address, '::zzz', ValidationError),
     (validate_ipv46_address, '12345::', ValidationError),
 
+    # Leading zeros are forbidden to avoid ambiguity with the octal notation.
+    (validate_ipv46_address, '000.000.000.000', ValidationError),
+    (validate_ipv46_address, '016.016.016.016', ValidationError),
+    (validate_ipv46_address, '192.168.000.001', ValidationError),
+    (validate_ipv46_address, '01.2.3.4', ValidationError),
+    (validate_ipv46_address, '01.2.3.4', ValidationError),
+    (validate_ipv46_address, '1.02.3.4', ValidationError),
+    (validate_ipv46_address, '1.2.03.4', ValidationError),
+    (validate_ipv46_address, '1.2.3.04', ValidationError),
+
     (validate_comma_separated_integer_list, '1', None),
     (validate_comma_separated_integer_list, '12', None),
     (validate_comma_separated_integer_list, '1,2', None),
diff --git a/tests/validators/valid_urls.txt b/tests/validators/valid_urls.txt
index 4bc8c03059c0..83f68eea364f 100644
--- a/tests/validators/valid_urls.txt
+++ b/tests/validators/valid_urls.txt
@@ -63,6 +63,12 @@ http://0.0.0.0/
 http://255.255.255.255
 http://224.0.0.0
 http://224.1.1.1
+http://111.112.113.114/
+http://88.88.88.88/
+http://11.12.13.14/
+http://10.20.30.40/
+http://1.2.3.4/
+http://127.0.01.09.home.lan
 http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.example.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com
 http://example.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Places

File CVE-2021-33571.patch of Package python-Django

Places