summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-08-12 15:17:57 +0200
committerNatalia <124304+nessita@users.noreply.github.com>2024-09-03 09:32:43 -0300
commit813de2672bd7361e9a453ab62cd6e52f96b6525b (patch)
treeb96c53fc7b1a784288c5e0d05b0d232683f2c9a5 /docs
parent05495d4f5ec4aecc0077464c5b4f1d63e7df9aff (diff)
[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
Diffstat (limited to 'docs')
-rw-r--r--docs/ref/templates/builtins.txt11
-rw-r--r--docs/releases/4.2.16.txt7
-rw-r--r--docs/releases/5.0.9.txt7
3 files changed, 23 insertions, 2 deletions
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 25c8a83e60..ef5633a48b 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2855,6 +2855,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text.
+.. warning::
+
+ Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
+ can become severe when applied to user controlled values such as content
+ stored in a :class:`~django.db.models.TextField`. You can use
+ :tfilter:`truncatechars` to add a limit to such inputs:
+
+ .. code-block:: html+django
+
+ {{ value|truncatechars:500|urlize }}
+
.. templatefilter:: urlizetrunc
``urlizetrunc``
diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
index 9853004386..2a84186867 100644
--- a/docs/releases/4.2.16.txt
+++ b/docs/releases/4.2.16.txt
@@ -7,4 +7,9 @@ Django 4.2.16 release notes
Django 4.2.16 fixes one security issue with severity "moderate" and one
security issue with severity "low" in 4.2.15.
-...
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt
index eb3dbe832d..50e94ea3f2 100644
--- a/docs/releases/5.0.9.txt
+++ b/docs/releases/5.0.9.txt
@@ -7,4 +7,9 @@ Django 5.0.9 release notes
Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8.
-...
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 06:49:37 +0000