diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-18 13:19:34 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:51:22 +0200 |
| commit | 0c1a8909164d8f2846322efb1143b72ad1616bd8 (patch) | |
| tree | f7e2307858a7c171a998e779f1c8a625b3e05fb5 | |
| parent | 0504af64292071e1a9565193ea8265c60600f7d7 (diff) | |
[5.1.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
| -rw-r--r-- | django/utils/html.py | 18 | ||||
| -rw-r--r-- | docs/releases/4.2.15.txt | 7 | ||||
| -rw-r--r-- | docs/releases/5.0.8.txt | 7 | ||||
| -rw-r--r-- | tests/utils_tests/test_html.py | 2 |
4 files changed, 24 insertions, 10 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index 1d96cfe6db..1123e38f6c 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -410,7 +410,11 @@ class Urlizer: trimmed_something = True counts[closing] -= strip - rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) + amp = middle.rfind("&") + if amp == -1: + rstripped = middle.rstrip(self.trailing_punctuation_chars) + else: + rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) if rstripped != middle: trail = middle[len(rstripped) :] + trail middle = rstripped @@ -418,15 +422,9 @@ class Urlizer: if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): # Only strip if not part of an HTML entity. - amp = middle.rfind("&") - if amp == -1: - can_strip = True - else: - potential_entity = middle[amp:] - escaped = html.unescape(potential_entity) - can_strip = (escaped == potential_entity) or escaped.endswith(";") - - if can_strip: + potential_entity = middle[amp:] + escaped = html.unescape(potential_entity) + if escaped == potential_entity or escaped.endswith(";"): rstripped = middle.rstrip(";") amount_stripped = len(middle) - len(rstripped) if amp > -1 and amount_stripped > 1: diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt index f3fdb0a3cf..91d6d385e3 100644 --- a/docs/releases/4.2.15.txt +++ b/docs/releases/4.2.15.txt @@ -16,6 +16,13 @@ consumption. To avoid this, decimals with more than 200 digits are now returned as is. +CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` +=========================================================================================== + +:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential +denial-of-service attack via very large inputs with a specific sequence of +characters. + Bugfixes ======== diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt index c371e4af0b..7de9bb9de1 100644 --- a/docs/releases/5.0.8.txt +++ b/docs/releases/5.0.8.txt @@ -16,6 +16,13 @@ consumption. To avoid this, decimals with more than 200 digits are now returned as is. +CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` +=========================================================================================== + +:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential +denial-of-service attack via very large inputs with a specific sequence of +characters. + Bugfixes ======== diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 9fe782ed2f..6050ed62b0 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -359,6 +359,8 @@ class TestUtilsHtml(SimpleTestCase): "[(" * 100_000 + ":" + ")]" * 100_000, "([[" * 100_000 + ":" + "]])" * 100_000, "&:" + ";" * 100_000, + "&.;" * 100_000, + ".;" * 100_000, ) for value in tests: with self.subTest(value=value): |