[3.1.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+.

In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines and tabs from URLs [1, 2]. Unfortunately it created an issue in the URLValidator. URLValidator uses urllib.urlsplit() and urllib.urlunsplit() for creating a URL variant with Punycode which no longer contains newlines and tabs in Python 3.9.5+. As a consequence, the regular expression matched the URL (without unsafe characters) and the source value (with unsafe characters) was considered valid. [1] https://bugs.python.org/issue43882 and [2] 76cd81d603 Backport of e1e81aa1c4 from main.
2025-07-24 05:36:15 +00:00 · 2021-05-04 20:50:12 +02:00 · 2021-05-04 20:50:12 +02:00 · afb23f5929
commit afb23f5929
parent fdbf4a7c16
5 changed files with 56 additions and 1 deletions
--- a/docs/releases/2.2.22.txt
+++ b/docs/releases/2.2.22.txt
@ -0,0 +1,22 @@
+===========================
+Django 2.2.22 release notes
+===========================
+
+*May 6, 2021*
+
+Django 2.2.22 fixes a security issue in 2.2.21.
+
+CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
+===============================================================================================================
+
+On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
+newlines and tabs. If you used values with newlines in HTTP response, you could
+suffer from header injection attacks. Django itself wasn't vulnerable because
+:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.
+
+Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
+removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
+entering your data only existed if you are using this validator outside of the
+form fields.
+
+This issue was introduced by the :bpo:`43882` fix.
--- a/docs/releases/3.1.10.txt
+++ b/docs/releases/3.1.10.txt
@ -0,0 +1,22 @@
+===========================
+Django 3.1.10 release notes
+===========================
+
+*May 6, 2021*
+
+Django 3.1.10 fixes a security issue in 3.1.9.
+
+CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
+===============================================================================================================
+
+On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't prohibit
+newlines and tabs. If you used values with newlines in HTTP response, you could
+suffer from header injection attacks. Django itself wasn't vulnerable because
+:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.
+
+Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
+removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
+entering your data only existed if you are using this validator outside of the
+form fields.
+
+This issue was introduced by the :bpo:`43882` fix.
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
   :maxdepth: 1

+   3.1.10
   3.1.9
   3.1.8
   3.1.7
@ -62,6 +63,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
   :maxdepth: 1

+   2.2.22
   2.2.21
   2.2.20
   2.2.19