[Django] #36868: Bugs is normalize() function

[Django]

#36868: Bugs is normalize() function
----------------------------+-----------------------------------------
Reporter: hhellbentt | Type: Uncategorized
Status: new | Component: Forms
Version: 6.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
----------------------------+-----------------------------------------
Hello, I am engaged in fuzzing testing and have found two bugs in your
project (possibly vulnerabilities, but when reproduced, the project does
not crash, which means they are simply bugs).

The normalize function from
https://github.com/django/django/blob/main/django/utils/regex_helper.py

Crashes when receiving the following data in two cases:
1) curl -X POST http://127.0.0.1:8000/regex/ --data-binary
$'pattern=\\\266\367 (two backslashes break the logic)
2) when receiving unpaired opening and closing tags, the pop() array
method attempts to remove something that does not exist from an empty
array.

I think this is potentially a vector for a DOS attack. I hope you will fix
this as soon as possible.

Translated with DeepL.com (free version)
--
Ticket URL: <https://code.djangoproject.com/ticket/36868>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

[Django]

#36868: Bugs is normalize() function

-------------------------------+--------------------------------------
Reporter: hhellbentt | Owner: (none)

Type: Uncategorized | Status: new
Component: Forms | Version: 6.0

Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-------------------------------+--------------------------------------
Changes (by hhellbentt):

* Attachment "photo_2026-01-15_19-51-44.jpg" added.

[Django]

#36868: Bugs is normalize() function
-------------------------------+--------------------------------------
Reporter: hhellbentt | Owner: (none)
Type: Uncategorized | Status: new
Component: Forms | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by hhellbentt):

* Attachment "{21C0D829-3A4C-4F29-A562-B5CB4F812ADB}.png" added.

[Django]

#36868: Bugs is normalize() function
-------------------------------+--------------------------------------
Reporter: hhellbentt | Owner: (none)
Type: Uncategorized | Status: new
Component: Forms | Version: 6.0
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Changes (by hhellbentt):

* Attachment "1.png" added.

[Django]

#36868: Bugs is normalize() function
-----------------------------+--------------------------------------
Reporter: hhellbentt | Owner: (none)

Type: Bug | Status: closed
Component: Core (URLs) | Version: 6.0
Severity: Normal | Resolution: invalid

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0

-----------------------------+--------------------------------------
Changes (by Natalia Bidart):

* component: Forms => Core (URLs)
* resolution: => invalid
* status: new => closed
* type: Uncategorized => Bug

Comment:

Hello hhellbentt, thank you for your report. However, there are a couple
of issues with this submission.

First of all, if you believe you've found a security vulnerability, report
it to secu...@djangoproject.com, not on the public tracker. See our
[https://docs.djangoproject.com/en/stable/internals/security/ security
policy].

Second, this is not a valid vector for a DOS attack: the `normalize()`
function is internal and documented as "not intended for external use." It
is only called during URL resolution with developer-defined patterns from
`urls.py,` loaded at startup. There is no code path in Django where user
input reaches this function.

I believe your proof of concept requires custom code that passes
unsanitized user input to an internal API:

{{{#!python
from django.utils.regex_helper import normalize

def regex_view(request):
normalize(request.POST.get('pattern')) # Developer-written insecure
}}}

This is not a Django vulnerability. Per our
[https://docs.djangoproject.com/en/stable/internals/security/#reporting-
guidelines reporting guidelines]:
- "Reports based on a failure to sanitize user input are not valid
security vulnerabilities."
- "If a vulnerability depends on directly calling [internal] functions
in an unsafe way, it will not be considered a valid security issue".

If you can provide a proof of concept that follows our reporting
guidelines, specifically one that does not rely on passing unsanitized
user input to internal APIs, please submit it to
secu...@djangoproject.com.

The edge cases you identified (unmatched parentheses, trailing
backslashes) cannot be triggered by attackers in standard Django usage. If
you'd like them handled more gracefully, you're welcome to submit a patch.
--
Ticket URL: <https://code.djangoproject.com/ticket/36868#comment:1>