From ecf1f8fb900f94de08c945164633e9a28a2edadb Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Thu, 18 Jul 2024 13:19:34 +0200 Subject: Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thanks to MProgrammer for the report. --- django/utils/html.py | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) (limited to 'django/utils/html.py') diff --git a/django/utils/html.py b/django/utils/html.py index 1d96cfe6db..1123e38f6c 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -410,7 +410,11 @@ class Urlizer: trimmed_something = True counts[closing] -= strip - rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) + amp = middle.rfind("&") + if amp == -1: + rstripped = middle.rstrip(self.trailing_punctuation_chars) + else: + rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) if rstripped != middle: trail = middle[len(rstripped) :] + trail middle = rstripped @@ -418,15 +422,9 @@ class Urlizer: if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): # Only strip if not part of an HTML entity. - amp = middle.rfind("&") - if amp == -1: - can_strip = True - else: - potential_entity = middle[amp:] - escaped = html.unescape(potential_entity) - can_strip = (escaped == potential_entity) or escaped.endswith(";") - - if can_strip: + potential_entity = middle[amp:] + escaped = html.unescape(potential_entity) + if escaped == potential_entity or escaped.endswith(";"): rstripped = middle.rstrip(";") amount_stripped = len(middle) - len(rstripped) if amp > -1 and amount_stripped > 1: -- cgit v1.3