From e157315da3ae7005fa0683ffc9751dbeca7306c8 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Sat, 24 Feb 2018 11:30:11 -0500 Subject: [2.0.x] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch. --- tests/utils_tests/test_html.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'tests/utils_tests/test_html.py') diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 08b31bc55a..077729b069 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -5,7 +5,7 @@ from django.test import SimpleTestCase from django.utils.functional import lazystr from django.utils.html import ( conditional_escape, escape, escapejs, format_html, html_safe, linebreaks, - smart_urlquote, strip_spaces_between_tags, strip_tags, + smart_urlquote, strip_spaces_between_tags, strip_tags, urlize, ) from django.utils.safestring import mark_safe @@ -216,3 +216,12 @@ class TestUtilsHtml(SimpleTestCase): @html_safe class HtmlClass: pass + + def test_urlize_unchanged_inputs(self): + tests = ( + ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test + ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test + ) + for value in tests: + with self.subTest(value=value): + self.assertEqual(urlize(value), value) -- cgit v1.3