Opened 3 weeks ago

Closed 3 weeks ago

#36868 closed Bug (invalid)

Bugs is normalize() function

Reported by: hhellbentt Owned by:
Component: Core (URLs) Version: 6.0
Severity: Normal Keywords:
Cc: hhellbentt Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Hello, I am engaged in fuzzing testing and have found two bugs in your project (possibly vulnerabilities, but when reproduced, the project does not crash, which means they are simply bugs).

The normalize function from https://github.com/django/django/blob/main/django/utils/regex_helper.py

Crashes when receiving the following data in two cases:
1) curl -X POST http://127.0.0.1:8000/regex/ --data-binary $'pattern=
\266\367 (two backslashes break the logic)
2) when receiving unpaired opening and closing tags, the pop() array method attempts to remove something that does not exist from an empty array.

I think this is potentially a vector for a DOS attack. I hope you will fix this as soon as possible.

Translated with DeepL.com (free version)

Attachments (3)

photo_2026-01-15_19-51-44.jpg (78.9 KB ) - added by hhellbentt 3 weeks ago.
{21C0D829-3A4C-4F29-A562-B5CB4F812ADB}.png (3.5 KB ) - added by hhellbentt 3 weeks ago.
1.png (32.8 KB ) - added by hhellbentt 3 weeks ago.

Download all attachments as: .zip

Change History (4)

by hhellbentt, 3 weeks ago

Attachment: photo_2026-01-15_19-51-44.jpg added

by hhellbentt, 3 weeks ago

Attachment: {21C0D829-3A4C-4F29-A562-B5CB4F812ADB}.png added

by hhellbentt, 3 weeks ago

Attachment: 1.png added

comment:1 by Natalia Bidart, 3 weeks ago

Component: FormsCore (URLs)
Resolution: invalid
Status: newclosed
Type: UncategorizedBug

Hello hhellbentt, thank you for your report. However, there are a couple of issues with this submission.

First of all, if you believe you've found a security vulnerability, report it to security@…, not on the public tracker. See our security policy.

Second, this is not a valid vector for a DOS attack: the normalize() function is internal and documented as "not intended for external use." It is only called during URL resolution with developer-defined patterns from urls.py, loaded at startup. There is no code path in Django where user input reaches this function.

I believe your proof of concept requires custom code that passes unsanitized user input to an internal API:

from django.utils.regex_helper import normalize

def regex_view(request):
    normalize(request.POST.get('pattern'))  # Developer-written insecure

This is not a Django vulnerability. Per our reporting guidelines:

  • "Reports based on a failure to sanitize user input are not valid security vulnerabilities."
  • "If a vulnerability depends on directly calling [internal] functions in an unsafe way, it will not be considered a valid security issue".

If you can provide a proof of concept that follows our reporting guidelines, specifically one that does not rely on passing unsanitized user input to internal APIs, please submit it to security@….

The edge cases you identified (unmatched parentheses, trailing backslashes) cannot be triggered by attackers in standard Django usage. If you'd like them handled more gracefully, you're welcome to submit a patch.

Note: See TracTickets for help on using tickets.
Back to Top