788700 – (CVE-2021-32052) <dev-python/django-{2.2.22,3.1.10,3.2.2}: header injection possibility via newlines and tabs in URLs (CVE-2021-32052)

Bug 788700 (CVE-2021-32052) - <dev-python/django-{2.2.22,3.1.10,3.2.2}: header injection possibility via newlines and tabs in URLs (CVE-2021-32052)

Summary: <dev-python/django-{2.2.22,3.1.10,3.2.2}: header injection possibility via ne...

Status:	IN_PROGRESS

Alias:	CVE-2021-32052

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B4 [glsa? cve]
Keywords:

Depends on:	CVE-2021-33203, CVE-2021-33571
Blocks:
	Show dependency tree

Reported:	2021-05-07 08:23 UTC by Michał Górny
Modified:	2023-10-06 10:34 UTC (History)
CC List:	0 users

See Also:	CVE-2021-29921
Package list:	dev-python/django-2.2.22 dev-python/django-3.1.10 dev-python/django-3.2.2
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2021-05-07 08:23:42 UTC

CVE-2021-32052: Header injection possibility since ``URLValidator`` accepted newlines in input on Python 3.9.5+
==============================================================================================================

+On Python 3.9.5+, :class:`~django.core.validators.URLValidator` didn't rohibit
+newlines and tabs. If you used values with newlines in HTTP response, you ould
suffer from header injection attacks. Django itself wasn't vulnerable because
:class:`~django.http.HttpResponse` prohibits newlines in HTTP headers.

Moreover, the ``URLField`` form field which uses ``URLValidator`` silently
removes newlines and tabs on Python 3.9.5+, so the possibility of newlines
entering your data only existed if you are using this validator outside of the
form fields.

This issue was introduced by the :bpo:`43882` fix.

Comment 1 NATTkA bot gentoo-dev

2021-05-07 08:28:21 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-python/django-2.2.22

Comment 2 NATTkA bot gentoo-dev

2021-05-07 08:48:24 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 3 Sam James archtester

2021-05-09 01:29:28 UTC

amd64 arm arm64 x86 (ALLARCHES) done

all arches done

Comment 4 Michał Górny archtester

2021-05-09 08:26:37 UTC

cleanup done.

Comment 5 John Helmert III archtester

2021-05-13 14:10:12 UTC

Thank you!

Comment 6 NATTkA bot gentoo-dev

2021-06-03 06:48:26 UTC

Unable to check for sanity:

> no match for package: dev-python/django-2.2.22

Comment 7 John Helmert III archtester

2021-07-11 02:59:02 UTC

GLSA request filed.