Overview
CVE-2007-5712 exposed Django's i18n when USE_I18N is enabled: the internationalization framework could be abused to cause memory-based denial of service by sending large Accept-Language headers. In affected versions (Django 0.91, 0.95, 0.95.1, and 0.96), the code path that parses locale information could allocate substantial resources per request if the header length was unbounded. An attacker could repeatedly issue requests with oversized headers, leading to memory growth across workers and potential service outage. The vulnerability demonstrated how tightly coupled input parsing and localization logic could become a vector for resource exhaustion under load, making robust input bounds and rate limiting essential in security-conscious deployments.
Affected Versions
Django 0.91, 0.95, 0.95.1, 0.96
Code Fix Example
Django API Security Remediation
from django.http import HttpResponse
from django.utils.translation import activate
# Vulnerable pattern
def vulnerable_view(request):
header = request.META.get('HTTP_ACCEPT_LANGUAGE', '')
languages = [lang.strip() for lang in header.split(',')]
if languages:
activate(languages[0])
# Simulated heavy memory usage due to large header processing
data = [0] * 100000
return HttpResponse('OK')
# Fixed pattern
def fixed_view(request):
header = request.META.get('HTTP_ACCEPT_LANGUAGE', '')
max_len = 1024 # cap header length to prevent unbounded parsing
header = header[:max_len]
languages = [lang.split(';')[0].strip() for lang in header.split(',') if lang]
if languages:
activate(languages[0])
data = [0] * 20000 # reduced memory footprint after cap
return HttpResponse('OK')