diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-07-18 13:19:34 +0200 |
|---|---|---|
| committer | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-08-06 08:50:08 +0200 |
| commit | ecf1f8fb900f94de08c945164633e9a28a2edadb (patch) | |
| tree | ed2e0f3dd427187f435d6de1624fb71bb0403527 /django/utils/html.py | |
| parent | c19465ad87e33b6122c886b97a202ad54cd43672 (diff) | |
Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
Diffstat (limited to 'django/utils/html.py')
| -rw-r--r-- | django/utils/html.py | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index 1d96cfe6db..1123e38f6c 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -410,7 +410,11 @@ class Urlizer: trimmed_something = True counts[closing] -= strip - rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) + amp = middle.rfind("&") + if amp == -1: + rstripped = middle.rstrip(self.trailing_punctuation_chars) + else: + rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) if rstripped != middle: trail = middle[len(rstripped) :] + trail middle = rstripped @@ -418,15 +422,9 @@ class Urlizer: if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): # Only strip if not part of an HTML entity. - amp = middle.rfind("&") - if amp == -1: - can_strip = True - else: - potential_entity = middle[amp:] - escaped = html.unescape(potential_entity) - can_strip = (escaped == potential_entity) or escaped.endswith(";") - - if can_strip: + potential_entity = middle[amp:] + escaped = html.unescape(potential_entity) + if escaped == potential_entity or escaped.endswith(";"): rstripped = middle.rstrip(";") amount_stripped = len(middle) - len(rstripped) if amp > -1 and amount_stripped > 1: |