diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-18 13:19:34 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-31 16:12:11 +0200 |
| commit | d0a82e26a74940bf0c78204933c3bdd6a283eb88 (patch) | |
| tree | e80378499b78b8e9374940687df04f5588a1ca2b | |
| parent | fc76660f589ac07e45e9cd34ccb8087aeb11904b (diff) | |
[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
| -rw-r--r-- | django/utils/html.py | 18 | ||||
| -rw-r--r-- | docs/releases/4.2.15.txt | 7 | ||||
| -rw-r--r-- | tests/utils_tests/test_html.py | 2 |
3 files changed, 17 insertions, 10 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index fd313ff9ca..dd52f1f7fe 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -378,7 +378,11 @@ class Urlizer: trimmed_something = True counts[closing] -= strip - rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) + amp = middle.rfind("&") + if amp == -1: + rstripped = middle.rstrip(self.trailing_punctuation_chars) + else: + rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) if rstripped != middle: trail = middle[len(rstripped) :] + trail middle = rstripped @@ -386,15 +390,9 @@ class Urlizer: if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): # Only strip if not part of an HTML entity. - amp = middle.rfind("&") - if amp == -1: - can_strip = True - else: - potential_entity = middle[amp:] - escaped = html.unescape(potential_entity) - can_strip = (escaped == potential_entity) or escaped.endswith(";") - - if can_strip: + potential_entity = middle[amp:] + escaped = html.unescape(potential_entity) + if escaped == potential_entity or escaped.endswith(";"): rstripped = middle.rstrip(";") amount_stripped = len(middle) - len(rstripped) if amp > -1 and amount_stripped > 1: diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt index f3fdb0a3cf..91d6d385e3 100644 --- a/docs/releases/4.2.15.txt +++ b/docs/releases/4.2.15.txt @@ -16,6 +16,13 @@ consumption. To avoid this, decimals with more than 200 digits are now returned as is. +CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` +=========================================================================================== + +:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential +denial-of-service attack via very large inputs with a specific sequence of +characters. + Bugfixes ======== diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 6dab41634a..c45e0dfac1 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -349,6 +349,8 @@ class TestUtilsHtml(SimpleTestCase): "[(" * 100_000 + ":" + ")]" * 100_000, "([[" * 100_000 + ":" + "]])" * 100_000, "&:" + ";" * 100_000, + "&.;" * 100_000, + ".;" * 100_000, ) for value in tests: with self.subTest(value=value): |