Fixed catastrophic backtracking in URLValidator.

Thanks João Silva for reporting the problem and Tim Graham for finding the problematic RE and for review. This is a security fix; disclosure to follow shortly.

Fixed catastrophic backtracking in URLValidator.
Thanks João Silva for reporting the problem and Tim Graham for finding the problematic RE and for review. This is a security fix; disclosure to follow shortly.
17d3a6d8 · Shai Berger · Tim Graham · 014247ad · 17d3a6d8 · 17d3a6d8
Kaydet (Commit) 17d3a6d8 authored Haz 29, 2015 tarafından Shai Berger Kaydeden (comit) Tim Graham Tem 08, 2015
5 changed files
--- a/django/core/validators.py
+++ b/django/core/validators.py
@@ -73,7 +73,7 @@ class URLValidator(RegexValidator):

    # Host patterns
    hostname_re = r'[a-z' + ul + r'0-9](?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9])?'
-    domain_re = r'(?:\.[a-z' + ul + r'0-9]+(?:[a-z' + ul + r'0-9-]*[a-z' + ul + r'0-9]+)*)*'
+    domain_re = r'(?:\.(?!-)[a-z' + ul + r'0-9-]*(?<!-))*'
    tld_re = r'\.(?:[a-z' + ul + r']{2,}|xn--[a-z0-9]+)\.?'
    host_re = '(' + hostname_re + domain_re + tld_re + '|localhost)'


--- a/docs/releases/1.8.3.txt
+++ b/docs/releases/1.8.3.txt
@@ -60,6 +60,13 @@ The undocumented, internally unused ``validate_integer()`` function is now
 stricter as it validates using a regular expression instead of simply casting
 the value using ``int()`` and checking if an exception was raised.

+Denial-of-service possibility in URL validation
+===============================================
+
+:class:`~django.core.validators.URLValidator` included a regular expression
+that was extremely slow to evaluate against certain invalid inputs. This regular
+expression has been simplified and optimized.
+
 Bugfixes
 ========


--- a/tests/validators/invalid_urls.txt
+++ b/tests/validators/invalid_urls.txt
@@ -35,6 +35,8 @@ http://foo.bar/foo(bar)baz quux
 http://-error-.invalid/
 http://-a.b.co
 http://a.b-.co
+http://a.-b.co
+http://a.b-.c.co
 http:/
 http://
 http://

--- a/tests/validators/tests.py
+++ b/tests/validators/tests.py
@@ -188,6 +188,9 @@ TEST_DATA = [
    # Trailing newlines not accepted
    (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
    (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
+    # Trailing junk does not take forever to reject
+    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br ', ValidationError),
+    (URLValidator(), 'http://www.asdasdasdasdsadfm.com.br z', ValidationError),

    (BaseValidator(True), True, None),
    (BaseValidator(True), False, ValidationError),

--- a/tests/validators/valid_urls.txt
+++ b/tests/validators/valid_urls.txt
@@ -7,6 +7,7 @@ http://www.example.com/
 http://www.example.com:8000/test
 http://valid-with-hyphens.com/
 http://subdomain.example.com/
+http://a.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 http://200.8.9.10/
 http://200.8.9.10:8000/test
 http://su--b.valid-----hyphens.com/