File CVE_2021_32052.patch of Package python-Django1
Index: Django-1.11.29/django/core/validators.py
===================================================================
--- Django-1.11.29.orig/django/core/validators.py
+++ Django-1.11.29/django/core/validators.py
@@ -106,6 +106,7 @@ class URLValidator(RegexValidator):
r'\Z', re.IGNORECASE)
message = _('Enter a valid URL.')
schemes = ['http', 'https', 'ftp', 'ftps']
+ unsafe_chars = frozenset('\t\r\n')
def __init__(self, schemes=None, **kwargs):
super(URLValidator, self).__init__(**kwargs)
@@ -114,6 +115,8 @@ class URLValidator(RegexValidator):
def __call__(self, value):
value = force_text(value)
+ if isinstance(value, str) and self.unsafe_chars.intersection(value):
+ raise ValidationError(self.message, code=self.code)
# Check first if the scheme is valid
scheme = value.split('://')[0].lower()
if scheme not in self.schemes: