diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-18 13:19:34 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-31 16:12:11 +0200 |
| commit | d0a82e26a74940bf0c78204933c3bdd6a283eb88 (patch) | |
| tree | e80378499b78b8e9374940687df04f5588a1ca2b /django/utils/html.py | |
| parent | fc76660f589ac07e45e9cd34ccb8087aeb11904b (diff) | |
[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
Diffstat (limited to 'django/utils/html.py')
| -rw-r--r-- | django/utils/html.py | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index fd313ff9ca..dd52f1f7fe 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -378,7 +378,11 @@ class Urlizer: trimmed_something = True counts[closing] -= strip - rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) + amp = middle.rfind("&") + if amp == -1: + rstripped = middle.rstrip(self.trailing_punctuation_chars) + else: + rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) if rstripped != middle: trail = middle[len(rstripped) :] + trail middle = rstripped @@ -386,15 +390,9 @@ class Urlizer: if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): # Only strip if not part of an HTML entity. - amp = middle.rfind("&") - if amp == -1: - can_strip = True - else: - potential_entity = middle[amp:] - escaped = html.unescape(potential_entity) - can_strip = (escaped == potential_entity) or escaped.endswith(";") - - if can_strip: + potential_entity = middle[amp:] + escaped = html.unescape(potential_entity) + if escaped == potential_entity or escaped.endswith(";"): rstripped = middle.rstrip(";") amount_stripped = len(middle) - len(rstripped) if amp > -1 and amount_stripped > 1: |