diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2019-07-15 12:00:06 +0200 |
|---|---|---|
| committer | Carlton Gibson <carlton.gibson@noumenal.es> | 2019-08-01 09:24:54 +0200 |
| commit | 4b78420d250df5e21763633871e486ee76728cc4 (patch) | |
| tree | 6227c024865efca0e2d6f5c1f498dc078fd7ea00 /docs/releases/2.2.4.txt | |
| parent | 7f65974f8219729c047fbbf8cd5cc9d80faefe77 (diff) | |
Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities.
Thanks to Guido Vranken for initial report.
Diffstat (limited to 'docs/releases/2.2.4.txt')
| -rw-r--r-- | docs/releases/2.2.4.txt | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/releases/2.2.4.txt b/docs/releases/2.2.4.txt index b22aa42482..c965373677 100644 --- a/docs/releases/2.2.4.txt +++ b/docs/releases/2.2.4.txt @@ -20,6 +20,23 @@ The regular expressions used by ``Truncator`` have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. +CVE-2019-14233: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +Due to the behavior of the underlying ``HTMLParser``, +:func:`django.utils.html.strip_tags` would be extremely slow to evaluate +certain inputs containing large sequences of nested incomplete HTML entities. +The ``strip_tags()`` method is used to implement the corresponding +:tfilter:`striptags` template filter, which was thus also vulnerable. + +``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress +removing tags, but necessarily incomplete HTML entities, stops being made. + +Remember that absolutely NO guarantee is provided about the results of +``strip_tags()`` being HTML safe. So NEVER mark safe the result of a +``strip_tags()`` call without escaping it first, for example with +:func:`django.utils.html.escape`. + Bugfixes ======== |