Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 788700 (CVE-2021-32052)

Summary: <dev-python/django-{2.2.22,3.1.10,3.2.2}: header injection possibility via newlines and tabs in URLs (CVE-2021-32052)
Product: Gentoo Security Reporter: Michał Górny <mgorny>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: IN_PROGRESS ---    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=787260
Whiteboard: B4 [glsa? cve]
Package list:
dev-python/django-2.2.22 dev-python/django-3.1.10 dev-python/django-3.2.2
 Runtime testing required: ---
Bug Depends on: 793911    
Bug Blocks:    

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-07 08:23:42 UTC 
CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
==============================================================================================================

+On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't rohibit
+newlines and tabs. If you used values with newlines in HTTP response, you ould
suffer from header injection attacks. Django itself wasn't vulnerable because
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.

Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
entering your data only existed if you are using this validator outside of the
form fields.

This issue was introduced by the :bpo:`43882` fix.
Comment 1 NATTkA bot gentoo-dev 2021-05-07 08:28:21 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-05-07 08:48:24 UTC Comment hidden (obsolete)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-09 01:29:28 UTC 
amd64 arm arm64 x86 (ALLARCHES) done

all arches done
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-05-09 08:26:37 UTC 
cleanup done.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-05-13 14:10:12 UTC 
Thank you!
Comment 6 NATTkA bot gentoo-dev 2021-06-03 06:48:26 UTC 
Unable to check for sanity:

> no match for package: dev-python/django-2.2.22
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-11 02:59:02 UTC 
GLSA request filed.