[5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter.

Thanks sw0rd1ight for the report.

Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.

1 files changed, 10 insertions, 18 deletions

diff --git a/django/utils/text.py b/django/utils/text.py
index d992f80dd2..36ab6a9efc 100644
--- a/django/utils/text.py
+++ b/django/utils/text.py
@@ -1,6 +1,7 @@
 import gzip
 import re
 import secrets
+import textwrap
 import unicodedata
 from gzip import GzipFile
 from gzip import compress as gzip_compress
@@ -97,24 +98,15 @@ def wrap(text, width):
     ``width``.
     """
 
-    def _generator():
-        for line in text.splitlines(True):  # True keeps trailing linebreaks
-            max_width = min((line.endswith("\n") and width + 1 or width), width)
-            while len(line) > max_width:
-                space = line[: max_width + 1].rfind(" ") + 1
-                if space == 0:
-                    space = line.find(" ") + 1
-                    if space == 0:
-                        yield line
-                        line = ""
-                        break
-                yield "%s\n" % line[: space - 1]
-                line = line[space:]
-                max_width = min((line.endswith("\n") and width + 1 or width), width)
-            if line:
-                yield line
-
-    return "".join(_generator())
+    wrapper = textwrap.TextWrapper(
+        width=width,
+        break_long_words=False,
+        break_on_hyphens=False,
+    )
+    result = []
+    for line in text.splitlines(True):
+        result.extend(wrapper.wrap(line))
+    return "\n".join(result)
 
 
 def add_truncation_text(text, truncate=None):