Refs CVE-2024-27351 -- Forwardported release notes and tests.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>

4 files changed, 51 insertions, 0 deletions

diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
index aa81c720d5..a3a90986ff 100644
--- a/docs/releases/3.2.25.txt
+++ b/docs/releases/3.2.25.txt
@@ -7,6 +7,14 @@ Django 3.2.25 release notes
 Django 3.2.25 fixes a security issue with severity "moderate" and a regression
 in 3.2.24.
 
+CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
+=========================================================================================================
+
+``django.utils.text.Truncator.words()`` method (with ``html=True``) and
+:tfilter:`truncatewords_html` template filter were subject to a potential
+regular expression denial-of-service attack using a suitably crafted string
+(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
+
 Bugfixes
 ========
 
diff --git a/docs/releases/4.2.11.txt b/docs/releases/4.2.11.txt
index 82c691fcb7..c562e47866 100644
--- a/docs/releases/4.2.11.txt
+++ b/docs/releases/4.2.11.txt
@@ -7,6 +7,14 @@ Django 4.2.11 release notes
 Django 4.2.11 fixes a security issue with severity "moderate" and a regression
 in 4.2.10.
 
+CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
+=========================================================================================================
+
+``django.utils.text.Truncator.words()`` method (with ``html=True``) and
+:tfilter:`truncatewords_html` template filter were subject to a potential
+regular expression denial-of-service attack using a suitably crafted string
+(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.0.3.txt b/docs/releases/5.0.3.txt
index 9db83d0135..bd3c6b5004 100644
--- a/docs/releases/5.0.3.txt
+++ b/docs/releases/5.0.3.txt
@@ -7,6 +7,14 @@ Django 5.0.3 release notes
 Django 5.0.3 fixes a security issue with severity "moderate" and several bugs
 in 5.0.2.
 
+CVE-2024-27351: Potential regular expression denial-of-service in ``django.utils.text.Truncator.words()``
+=========================================================================================================
+
+``django.utils.text.Truncator.words()`` method (with ``html=True``) and
+:tfilter:`truncatewords_html` template filter were subject to a potential
+regular expression denial-of-service attack using a suitably crafted string
+(follow up to :cve:`2019-14232` and :cve:`2023-43665`).
+
 Bugfixes
 ========
 
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
index b38d8238c5..ab2cfb3f7c 100644
--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
@@ -292,6 +292,33 @@ class TestUtilsText(SimpleTestCase):
         truncator = text.Truncator("foo</p>")
         self.assertEqual("foo</p>", truncator.words(3, html=True))
 
+        # Only open brackets.
+        truncator = text.Truncator("<" * 60_000)
+        self.assertEqual(truncator.words(1, html=True), "&lt;…")
+
+        # Tags with special chars in attrs.
+        truncator = text.Truncator(
+            """<i style="margin: 5%; font: *;">Hello, my dear lady!</i>"""
+        )
+        self.assertEqual(
+            """<i style="margin: 5%; font: *;">Hello, my dear…</i>""",
+            truncator.words(3, html=True),
+        )
+
+        # Tags with special non-latin chars in attrs.
+        truncator = text.Truncator("""<p data-x="א">Hello, my dear lady!</p>""")
+        self.assertEqual(
+            """<p data-x="א">Hello, my dear…</p>""",
+            truncator.words(3, html=True),
+        )
+
+        # Misplaced brackets.
+        truncator = text.Truncator("hello >< world")
+        self.assertEqual(truncator.words(1, html=True), "hello…")
+        self.assertEqual(truncator.words(2, html=True), "hello &gt;…")
+        self.assertEqual(truncator.words(3, html=True), "hello &gt;&lt;…")
+        self.assertEqual(truncator.words(4, html=True), "hello &gt;&lt; world")
+
     @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
     def test_truncate_words_html_size_limit(self):
         max_len = text.Truncator.MAX_LENGTH_HTML