From 8124c42601b9abfeb234056092a62a22a22107cb Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Tue, 19 Sep 2023 09:51:48 -0300 Subject: [5.0.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text. Thanks Wenchao Li of Alibaba Group for the report. --- docs/ref/templates/builtins.txt | 20 ++++++++++++++++++++ docs/releases/3.2.22.txt | 18 +++++++++++++++++- docs/releases/4.1.12.txt | 18 +++++++++++++++++- docs/releases/4.2.6.txt | 18 ++++++++++++++++++ 4 files changed, 72 insertions(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt index 65579677ca..536f9259bc 100644 --- a/docs/ref/templates/builtins.txt +++ b/docs/ref/templates/builtins.txt @@ -2676,6 +2676,16 @@ If ``value`` is ``"
Joel is a slug
"``, the output will be Newlines in the HTML content will be preserved. +.. admonition:: Size of input string + + Processing large, potentially malformed HTML strings can be + resource-intensive and impact service performance. ``truncatechars_html`` + limits input to the first five million characters. + +.. versionchanged:: 3.2.22 + + In older versions, strings over five million characters were processed. + .. templatefilter:: truncatewords ``truncatewords`` @@ -2718,6 +2728,16 @@ If ``value`` is ``"Joel is a slug
"``, the output will be Newlines in the HTML content will be preserved. +.. admonition:: Size of input string + + Processing large, potentially malformed HTML strings can be + resource-intensive and impact service performance. ``truncatewords_html`` + limits input to the first five million characters. + +.. versionchanged:: 3.2.22 + + In older versions, strings over five million characters were processed. + .. templatefilter:: unordered_list ``unordered_list`` diff --git a/docs/releases/3.2.22.txt b/docs/releases/3.2.22.txt index 6e1815de11..cfedc41de8 100644 --- a/docs/releases/3.2.22.txt +++ b/docs/releases/3.2.22.txt @@ -6,4 +6,20 @@ Django 3.2.22 release notes Django 3.2.22 fixes a security issue with severity "moderate" in 3.2.21. -... +CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +Following the fix for :cve:`2019-14232`, the regular expressions used in the +implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` +methods (with ``html=True``) were revised and improved. However, these regular +expressions still exhibited linear backtracking complexity, so when given a +very long, potentially malformed HTML input, the evaluation would still be +slow, leading to a potential denial of service vulnerability. + +The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus also vulnerable. + +The input processed by ``Truncator``, when operating in HTML mode, has been +limited to the first five million characters in order to avoid potential +performance and memory issues. diff --git a/docs/releases/4.1.12.txt b/docs/releases/4.1.12.txt index d81df3aefd..6c331dd318 100644 --- a/docs/releases/4.1.12.txt +++ b/docs/releases/4.1.12.txt @@ -6,4 +6,20 @@ Django 4.1.12 release notes Django 4.1.12 fixes a security issue with severity "moderate" in 4.1.11. -... +CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +Following the fix for :cve:`2019-14232`, the regular expressions used in the +implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` +methods (with ``html=True``) were revised and improved. However, these regular +expressions still exhibited linear backtracking complexity, so when given a +very long, potentially malformed HTML input, the evaluation would still be +slow, leading to a potential denial of service vulnerability. + +The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus also vulnerable. + +The input processed by ``Truncator``, when operating in HTML mode, has been +limited to the first five million characters in order to avoid potential +performance and memory issues. diff --git a/docs/releases/4.2.6.txt b/docs/releases/4.2.6.txt index 31929468a6..9b99d8c622 100644 --- a/docs/releases/4.2.6.txt +++ b/docs/releases/4.2.6.txt @@ -7,6 +7,24 @@ Django 4.2.6 release notes Django 4.2.6 fixes a security issue with severity "moderate" and several bugs in 4.2.5. +CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator`` +================================================================================ + +Following the fix for :cve:`2019-14232`, the regular expressions used in the +implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` +methods (with ``html=True``) were revised and improved. However, these regular +expressions still exhibited linear backtracking complexity, so when given a +very long, potentially malformed HTML input, the evaluation would still be +slow, leading to a potential denial of service vulnerability. + +The ``chars()`` and ``words()`` methods are used to implement the +:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template +filters, which were thus also vulnerable. + +The input processed by ``Truncator``, when operating in HTML mode, has been +limited to the first five million characters in order to avoid potential +performance and memory issues. + Bugfixes ======== -- cgit v1.3