From 7f65974f8219729c047fbbf8cd5cc9d80faefe77 Mon Sep 17 00:00:00 2001 From: Florian Apolloner Date: Mon, 15 Jul 2019 11:46:09 +0200 Subject: Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML. Thanks to Guido Vranken for initial report. --- django/utils/text.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'django/utils') diff --git a/django/utils/text.py b/django/utils/text.py index e9b7dcc72b..c2576b012a 100644 --- a/django/utils/text.py +++ b/django/utils/text.py @@ -17,8 +17,8 @@ def capfirst(x): # Set up regular expressions -re_words = re.compile(r'<.*?>|((?:\w[-\w]*|&.*?;)+)', re.S) -re_chars = re.compile(r'<.*?>|(.)', re.S) +re_words = re.compile(r'<[^>]+?>|([^<>\s]+)', re.S) +re_chars = re.compile(r'<[^>]+?>|(.)', re.S) re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S) re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines re_camel_case = re.compile(r'(((?<=[a-z])[A-Z])|([A-Z](?![A-Z]|$)))') -- cgit v1.3