Opened 5 years ago

Closed 5 years ago

Last modified 3 years ago

#30530 closed Bug (fixed)

url `path` accepts newlines in various places.

Reported by: Sjoerd Job Postmus Owned by: nobody
Component: Core (URLs) Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Consider the following simplified urls.py.

from django.http import HttpResponse
from django.urls import path


def path_view(request):
    return HttpResponse('<pre>===&gt;' + request.path + '&lt;===</pre>')


def render_something(request, something):
    return HttpResponse('<pre>===&gt;' + something + '&lt;===</pre>')


urlpatterns = [
    path('hello/', path_view),
    path('foo/<something>/bar/', render_something),
]

By accessing http://localhost:8000/hello/%0a, it's clear that the newline is accepted in the URL. This is because the underlying logic uses a $ in the regular expression, instead of \Z..

By accessing http://localhost:8000/foo/hello%0aworld/bar/, it's clear that the default str converter accepts anywhere in the segment. This is because it uses a negative match [^/]+, which happily accepts a newline character (both %0a and %0d).

I propose changing the $ to \Z, and the negative match to [^/\r\n]+.

I would also suggest changing the documentation on the re_path to suggest \Z instead of $, though that may be more controversial.

Change History (15)

comment:1 by Mariusz Felisiak, 5 years ago

Thanks for this report, however is there any reason to add this restriction? I don't see any issue in accepting encoded newline characters in URL parameters. Moreover this behavior is documented and can be used by users.

comment:2 by Carlton Gibson, 5 years ago

Resolution: wontfix
Status: newclosed

Escaped newlines are legitimate in URLs (and required in cases, e.g. #24962).

comment:3 by Sjoerd Job Postmus, 5 years ago

In that case, isn't the path converter incorrect in not accepting newlines?

comment:4 by Carlton Gibson, 5 years ago

The converters are as they are as a result of design decisions made when introducing the feature. Anyone needing different can implement custom converters.

comment:5 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

Resolution: wontfixfixed

In 22bd174:

[3.1.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 20b9ad36:

[4.0.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.

comment:7 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In d4dcd5b9:

Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

comment:8 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 333c6560:

[3.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.

comment:9 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 7cf7d74:

[2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths.

Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.

comment:10 by Mariusz Felisiak, 3 years ago

Triage Stage: UnreviewedAccepted

comment:11 by GitHub <noreply@…>, 3 years ago

In 5de12a36:

Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10.

Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6.

comment:12 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 267a743b:

[4.0.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10.

Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6.
Backport of 5de12a369a7b2231e668e0460c551c504718dbf6 from main

comment:13 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In ae242235:

[3.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10.

Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6.
Backport of 5de12a369a7b2231e668e0460c551c504718dbf6 from main

comment:14 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In 0b8a0296:

[3.1.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10.

Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6.
Backport of 5de12a369a7b2231e668e0460c551c504718dbf6 from main

comment:15 by Mariusz Felisiak <felisiak.mariusz@…>, 3 years ago

In b8782066:

[2.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10.

Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6.
Backport of 5de12a369a7b2231e668e0460c551c504718dbf6 from main

Note: See TracTickets for help on using tickets.
Back to Top