id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
30530	url `path` accepts newlines in various places.	Sjoerd Job Postmus	nobody	"Consider the following simplified `urls.py`.

{{{
from django.http import HttpResponse
from django.urls import path


def path_view(request):
    return HttpResponse('<pre>===&gt;' + request.path + '&lt;===</pre>')


def render_something(request, something):
    return HttpResponse('<pre>===&gt;' + something + '&lt;===</pre>')


urlpatterns = [
    path('hello/', path_view),
    path('foo/<something>/bar/', render_something),
]
}}}

By accessing `http://localhost:8000/hello/%0a`, it's clear that the newline is accepted in the URL. This is because the underlying logic uses a `$` in the regular expression, instead of `\Z`..

By accessing `http://localhost:8000/foo/hello%0aworld/bar/`, it's clear that the default `str` converter accepts anywhere in the segment. This is because it uses a negative match `[^/]+`, which happily accepts a newline character (both `%0a` and `%0d`).

I propose changing the `$` to `\Z`, and the negative match to `[^/\r\n]+`.

I would also suggest changing the documentation on the `re_path` to suggest `\Z` instead of `$`, though that may be more controversial."	Bug	closed	Core (URLs)	dev	Normal	fixed			Accepted	0	0	0	0	0	0