#36868: Bugs is normalize() function
-----------------------------+--------------------------------------
Reporter: hhellbentt | Owner: (none)
Type: Bug | Status: closed
Component: Core (URLs) | Version: 6.0
Severity: Normal | Resolution: invalid
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Changes (by Natalia Bidart):
* component: Forms => Core (URLs)
* resolution: => invalid
* status: new => closed
* type: Uncategorized => Bug
Comment:
Hello hhellbentt, thank you for your report. However, there are a couple
of issues with this submission.
First of all, if you believe you've found a security vulnerability, report
it to [email protected], not on the public tracker. See our
[https://docs.djangoproject.com/en/stable/internals/security/ security
policy].
Second, this is not a valid vector for a DOS attack: the `normalize()`
function is internal and documented as "not intended for external use." It
is only called during URL resolution with developer-defined patterns from
`urls.py,` loaded at startup. There is no code path in Django where user
input reaches this function.
I believe your proof of concept requires custom code that passes
unsanitized user input to an internal API:
{{{#!python
from django.utils.regex_helper import normalize
def regex_view(request):
normalize(request.POST.get('pattern')) # Developer-written insecure
}}}
This is not a Django vulnerability. Per our
[https://docs.djangoproject.com/en/stable/internals/security/#reporting-
guidelines reporting guidelines]:
- "Reports based on a failure to sanitize user input are not valid
security vulnerabilities."
- "If a vulnerability depends on directly calling [internal] functions
in an unsafe way, it will not be considered a valid security issue".
If you can provide a proof of concept that follows our reporting
guidelines, specifically one that does not rely on passing unsanitized
user input to internal APIs, please submit it to
[email protected].
The edge cases you identified (unmatched parentheses, trailing
backslashes) cannot be triggered by attackers in standard Django usage. If
you'd like them handled more gracefully, you're welcome to submit a patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/36868#comment:1>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019bc6c06942-649f97a0-3d3a-4290-a062-a7dd907cf04b-000000%40eu-central-1.amazonses.com.
