[Django] #36831: Add validation for CSP directive names and values in build_policy()

Fri, 26 Dec 2025 12:07:01 -0800 

#36831: Add validation for CSP directive names and values in build_policy()
-------------------------------------+-------------------------------------
     Reporter:  naveedqadir          |                     Type:
                                     |  Cleanup/optimization
       Status:  new                  |                Component:  Utilities
      Version:  6.0                  |                 Severity:  Normal
     Keywords:                       |             Triage Stage:
                                     |  Unreviewed
    Has patch:  1                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------
 The `build_policy()` function in `django/utils/csp.py` does not validate
 directive names or values, allowing malformed CSP policies to be
 generated.

 == Problem ==

 CSP policies use semicolons to separate directives. If a directive name or
 value contains a semicolon (e.g., from a misconfiguration), it can result
 in a malformed policy:

 {{{#!python
 from django.utils.csp import build_policy, CSP

 # This produces a malformed CSP header
 policy = {"script-src": ["https://good.com; report-uri https://evil.com"]}
 build_policy(policy)
 # Returns: "script-src https://good.com; report-uri https://evil.com";
 # The semicolon splits what should be one directive into two!
 }}}

 While this requires developer misconfiguration (not user input), it's a
 hardening improvement to catch these errors early with a clear error
 message rather than silently producing invalid policies.

 == Solution ==

 Add validation to `build_policy()` that raises `ValueError` if:
 - Directive names contain semicolons, `\r`, or `\n`
 - Values contain semicolons

 The error messages guide developers to use proper list syntax for multiple
 values.

 == Patch ==

 A patch with tests is ready and will be submitted as a PR.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36831>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/0107019b5c456c45-05915f0e-d81b-4144-9e1f-5be63a758b04-000000%40eu-central-1.amazonses.com.

Reply via email to