diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2024-07-10 20:30:12 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:51:22 +0200 |
| commit | bd807c0c25ab69361a4c08edcc1cf04d4652aa0a (patch) | |
| tree | b9aa620ad5a6c747ee4b9aae9aef0f18c479347b /tests/admin_widgets | |
| parent | 0c1a8909164d8f2846322efb1143b72ad1616bd8 (diff) | |
[5.1.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Diffstat (limited to 'tests/admin_widgets')
| -rw-r--r-- | tests/admin_widgets/tests.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py index 6f009a6f3f..467e2b558d 100644 --- a/tests/admin_widgets/tests.py +++ b/tests/admin_widgets/tests.py @@ -462,7 +462,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase): class AdminURLWidgetTest(SimpleTestCase): def test_get_context_validates_url(self): w = widgets.AdminURLFieldWidget() - for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']: + for invalid in [ + "", + "/not/a/full/url/", + 'javascript:alert("Danger XSS!")', + "http://" + "한.글." * 1_000_000 + "com", + ]: with self.subTest(url=invalid): self.assertFalse(w.get_context("name", invalid, {})["url_valid"]) self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"]) |
