From 022ab0a75c76ab2ea31dfcc5f2cf5501e378d397 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Mon, 12 Aug 2024 15:17:57 +0200 Subject: [5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. --- tests/template_tests/filter_tests/test_urlize.py | 5 +++++ tests/utils_tests/test_html.py | 1 + 2 files changed, 6 insertions(+) (limited to 'tests') diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py index c19103859e..546bd6c7d6 100644 --- a/tests/template_tests/filter_tests/test_urlize.py +++ b/tests/template_tests/filter_tests/test_urlize.py @@ -321,6 +321,11 @@ class FunctionTests(SimpleTestCase): '' "http://example.com?x=&;;", ) + self.assertEqual( + urlize("http://example.com?x=&.;...;", autoescape=False), + '' + "http://example.com?x=&.;...;", + ) def test_brackets(self): """ diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 10ba621dd5..9bee483dc7 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -375,6 +375,7 @@ class TestUtilsHtml(SimpleTestCase): "&:" + ";" * 100_000, "&.;" * 100_000, ".;" * 100_000, + "&" + ";:" * 100_000, ) for value in tests: with self.subTest(value=value): -- cgit v1.3