#30530: url `path` accepts newlines in various places.
----------------------------------------------+------------------------
               Reporter:  Sjoerd Job Postmus  |          Owner:  nobody
                   Type:  Bug                 |         Status:  new
              Component:  Core (URLs)         |        Version:  master
               Severity:  Normal              |       Keywords:
           Triage Stage:  Unreviewed          |      Has patch:  0
    Needs documentation:  0                   |    Needs tests:  0
Patch needs improvement:  0                   |  Easy pickings:  0
                  UI/UX:  0                   |
----------------------------------------------+------------------------
 Consider the following simplified `urls.py`.

 {{{
 from django.http import HttpResponse
 from django.urls import path


 def path_view(request):
     return HttpResponse('<pre>===&gt;' + request.path + '&lt;===</pre>')


 def render_something(request, something):
     return HttpResponse('<pre>===&gt;' + something + '&lt;===</pre>')


 urlpatterns = [
     path('hello/', path_view),
     path('foo/<something>/bar/', render_something),
 ]
 }}}

 By accessing `http://localhost:8000/hello/%0a`, it's clear that the
 newline is accepted in the URL. This is because the underlying logic uses
 a `$` in the regular expression, instead of `\Z`..

 By accessing `http://localhost:8000/foo/hello%0aworld/bar/`, it's clear
 that the default `str` converter accepts anywhere in the segment. This is
 because it uses a negative match `[^/]+`, which happily accepts a newline
 character (both `%0a` and `%0d`).

 I propose changing the `$` to `\Z`, and the negative match to `[^/\r\n]+`.

 I would also suggest changing the documentation on the `re_path` to
 suggest `\Z` instead of `$`, though that may be more controversial.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/30530>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/052.319aeec7234c60f3aed6ed0c88758425%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to