[3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.

Thanks Wenchao Li of Alibaba Group for the report.

1 files changed, 17 insertions, 1 deletions

diff --git a/django/utils/text.py b/django/utils/text.py
index baa44f279e..83e258fa81 100644
--- a/django/utils/text.py
+++ b/django/utils/text.py
@@ -60,7 +60,14 @@ def wrap(text, width):
 class Truncator(SimpleLazyObject):
     """
     An object used to truncate text, either by characters or words.
+
+    When truncating HTML text (either chars or words), input will be limited to
+    at most `MAX_LENGTH_HTML` characters.
     """
+
+    # 5 million characters are approximately 4000 text pages or 3 web pages.
+    MAX_LENGTH_HTML = 5_000_000
+
     def __init__(self, text):
         super().__init__(lambda: str(text))
 
@@ -157,6 +164,11 @@ class Truncator(SimpleLazyObject):
         if words and length <= 0:
             return ''
 
+        size_limited = False
+        if len(text) > self.MAX_LENGTH_HTML:
+            text = text[: self.MAX_LENGTH_HTML]
+            size_limited = True
+
         html4_singlets = (
             'br', 'col', 'link', 'base', 'img',
             'param', 'area', 'hr', 'input'
@@ -206,10 +218,14 @@ class Truncator(SimpleLazyObject):
                 # Add it to the start of the open tags list
                 open_tags.insert(0, tagname)
 
+        truncate_text = self.add_truncation_text("", truncate)
+
         if current_len <= length:
+            if size_limited and truncate_text:
+                text += truncate_text
             return text
+
         out = text[:end_text_pos]
-        truncate_text = self.add_truncation_text('', truncate)
         if truncate_text:
             out += truncate_text
         # Close any tags still open