Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.

Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2024-07-10 20:30:12 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-08-06 08:50:08 +0200
commit: 5f1757142febd95994caa1c0f64c1a0c161982c3 (patch)
tree: da460becc3d50a1151e78c29bc04e26f03d3d3b1 /tests/admin_widgets
parent: ecf1f8fb900f94de08c945164633e9a28a2edadb (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
index 517e060b80..5da4adf8c9 100644
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -463,7 +463,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
 class AdminURLWidgetTest(SimpleTestCase):
     def test_get_context_validates_url(self):
         w = widgets.AdminURLFieldWidget()
-        for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
+        for invalid in [
+            "",
+            "/not/a/full/url/",
+            'javascript:alert("Danger XSS!")',
+            "http://" + "한.글." * 1_000_000 + "com",
+        ]:
             with self.subTest(url=invalid):
                 self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
         self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2024-07-10 20:30:12 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-08-06 08:50:08 +0200
commit	5f1757142febd95994caa1c0f64c1a0c161982c3 (patch)
tree	da460becc3d50a1151e78c29bc04e26f03d3d3b1 /tests/admin_widgets
parent	ecf1f8fb900f94de08c945164633e9a28a2edadb (diff)