diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2024-07-10 20:30:12 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:51:22 +0200 |
| commit | bd807c0c25ab69361a4c08edcc1cf04d4652aa0a (patch) | |
| tree | b9aa620ad5a6c747ee4b9aae9aef0f18c479347b /tests/utils_tests/test_html.py | |
| parent | 0c1a8909164d8f2846322efb1143b72ad1616bd8 (diff) | |
[5.1.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Diffstat (limited to 'tests/utils_tests/test_html.py')
| -rw-r--r-- | tests/utils_tests/test_html.py | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 6050ed62b0..82dbd58f12 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -338,6 +338,15 @@ class TestUtilsHtml(SimpleTestCase): 'Search for <a href="http://google.com/?q=">google.com/?q=</a>!', ), ("foo@example.com", '<a href="mailto:foo@example.com">foo@example.com</a>'), + ( + "test@" + "한.글." * 15 + "aaa", + '<a href="mailto:test@' + + "xn--6q8b.xn--bj0b." * 15 + + 'aaa">' + + "test@" + + "한.글." * 15 + + "aaa</a>", + ), ) for value, output in tests: with self.subTest(value=value): @@ -346,6 +355,10 @@ class TestUtilsHtml(SimpleTestCase): def test_urlize_unchanged_inputs(self): tests = ( ("a" + "@a" * 50000) + "a", # simple_email_re catastrophic test + # Unicode domain catastrophic tests. + "a@" + "한.글." * 1_000_000 + "a", + "http://" + "한.글." * 1_000_000 + "com", + "www." + "한.글." * 1_000_000 + "com", ("a" + "." * 1000000) + "a", # trailing_punctuation catastrophic test "foo@", "@foo.com", |
