Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.

Thanks Wenchao Li of Alibaba Group for the report.

3 files changed, 52 insertions, 2 deletions

diff --git a/docs/releases/3.2.22.txt b/docs/releases/3.2.22.txt
index 6e1815de11..cfedc41de8 100644
--- a/docs/releases/3.2.22.txt
+++ b/docs/releases/3.2.22.txt
@@ -6,4 +6,20 @@ Django 3.2.22 release notes
 
 Django 3.2.22 fixes a security issue with severity "moderate" in 3.2.21.
 
-...
+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+Following the fix for :cve:`2019-14232`, the regular expressions used in the
+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
+methods (with ``html=True``) were revised and improved. However, these regular
+expressions still exhibited linear backtracking complexity, so when given a
+very long, potentially malformed HTML input, the evaluation would still be
+slow, leading to a potential denial of service vulnerability.
+
+The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus also vulnerable.
+
+The input processed by ``Truncator``, when operating in HTML mode, has been
+limited to the first five million characters in order to avoid potential
+performance and memory issues.
diff --git a/docs/releases/4.1.12.txt b/docs/releases/4.1.12.txt
index d81df3aefd..6c331dd318 100644
--- a/docs/releases/4.1.12.txt
+++ b/docs/releases/4.1.12.txt
@@ -6,4 +6,20 @@ Django 4.1.12 release notes
 
 Django 4.1.12 fixes a security issue with severity "moderate" in 4.1.11.
 
-...
+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+Following the fix for :cve:`2019-14232`, the regular expressions used in the
+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
+methods (with ``html=True``) were revised and improved. However, these regular
+expressions still exhibited linear backtracking complexity, so when given a
+very long, potentially malformed HTML input, the evaluation would still be
+slow, leading to a potential denial of service vulnerability.
+
+The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus also vulnerable.
+
+The input processed by ``Truncator``, when operating in HTML mode, has been
+limited to the first five million characters in order to avoid potential
+performance and memory issues.
diff --git a/docs/releases/4.2.6.txt b/docs/releases/4.2.6.txt
index 31929468a6..9b99d8c622 100644
--- a/docs/releases/4.2.6.txt
+++ b/docs/releases/4.2.6.txt
@@ -7,6 +7,24 @@ Django 4.2.6 release notes
 Django 4.2.6 fixes a security issue with severity "moderate" and several bugs
 in 4.2.5.
 
+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+Following the fix for :cve:`2019-14232`, the regular expressions used in the
+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
+methods (with ``html=True``) were revised and improved. However, these regular
+expressions still exhibited linear backtracking complexity, so when given a
+very long, potentially malformed HTML input, the evaluation would still be
+slow, leading to a potential denial of service vulnerability.
+
+The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus also vulnerable.
+
+The input processed by ``Truncator``, when operating in HTML mode, has been
+limited to the first five million characters in order to avoid potential
+performance and memory issues.
+
 Bugfixes
 ========