Overview

File CVE_2021_32052.patch of Package python-Django1

Index: Django-1.11.29/django/core/validators.py
===================================================================
--- Django-1.11.29.orig/django/core/validators.py
+++ Django-1.11.29/django/core/validators.py
@@ -106,6 +106,7 @@ class URLValidator(RegexValidator):
         r'\Z', re.IGNORECASE)
     message = _('Enter a valid URL.')
     schemes = ['http', 'https', 'ftp', 'ftps']
+    unsafe_chars = frozenset('\t\r\n')
 
     def __init__(self, schemes=None, **kwargs):
         super(URLValidator, self).__init__(**kwargs)
@@ -114,6 +115,8 @@ class URLValidator(RegexValidator):
 
     def __call__(self, value):
         value = force_text(value)
+        if isinstance(value, str) and self.unsafe_chars.intersection(value):
+            raise ValidationError(self.message, code=self.code)
         # Check first if the scheme is valid
         scheme = value.split('://')[0].lower()
         if scheme not in self.schemes:
openSUSE Build Service is sponsored by
Places