From 5d50a2e5fa36ad23ab532fc54cf4073de84b3306 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Fri, 19 Jul 2019 17:04:53 +0200 Subject: [2.1.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri(). Thanks to Guido Vranken for initial report. --- django/utils/encoding.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'django/utils/encoding.py') diff --git a/django/utils/encoding.py b/django/utils/encoding.py index 4ff530c406..fd63c8d21c 100644 --- a/django/utils/encoding.py +++ b/django/utils/encoding.py @@ -228,13 +228,16 @@ def repercent_broken_unicode(path): repercent-encode any octet produced that is not part of a strictly legal UTF-8 octet sequence. """ - try: - path.decode() - except UnicodeDecodeError as e: - repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") - path = repercent_broken_unicode( - path[:e.start] + force_bytes(repercent) + path[e.end:]) - return path + while True: + try: + path.decode() + except UnicodeDecodeError as e: + # CVE-2019-14235: A recursion shouldn't be used since the exception + # handling uses massive amounts of memory + repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") + path = path[:e.start] + force_bytes(repercent) + path[e.end:] + else: + return path def filepath_to_uri(path): -- cgit v1.3