From 022ab0a75c76ab2ea31dfcc5f2cf5501e378d397 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Mon, 12 Aug 2024 15:17:57 +0200
Subject: [5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and
urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
---
tests/template_tests/filter_tests/test_urlize.py | 5 +++++
tests/utils_tests/test_html.py | 1 +
2 files changed, 6 insertions(+)
(limited to 'tests')
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index c19103859e..546bd6c7d6 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -321,6 +321,11 @@ class FunctionTests(SimpleTestCase):
''
"http://example.com?x=&;;",
)
+ self.assertEqual(
+ urlize("http://example.com?x=&.;...;", autoescape=False),
+ ''
+ "http://example.com?x=&.;...;",
+ )
def test_brackets(self):
"""
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 10ba621dd5..9bee483dc7 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -375,6 +375,7 @@ class TestUtilsHtml(SimpleTestCase):
"&:" + ";" * 100_000,
"&.;" * 100_000,
".;" * 100_000,
+ "&" + ";:" * 100_000,
)
for value in tests:
with self.subTest(value=value):
--
cgit v1.3