[4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.

Thanks Seokchan Yoon for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2024-07-10 20:30:12 +0200
committer: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> 2024-07-31 16:12:23 +0200
commit: efea1ef7e2190e3f77ca0651b5458297bc0f6a9f (patch)
tree: 69b0236736ffabd9de6d5963ab8e33fcc01eca9b /tests/admin_widgets/tests.py
parent: d0a82e26a74940bf0c78204933c3bdd6a283eb88 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
index 0e20206048..4281ed07c6 100644
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -461,7 +461,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
 class AdminURLWidgetTest(SimpleTestCase):
     def test_get_context_validates_url(self):
         w = widgets.AdminURLFieldWidget()
-        for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
+        for invalid in [
+            "",
+            "/not/a/full/url/",
+            'javascript:alert("Danger XSS!")',
+            "http://" + "한.글." * 1_000_000 + "com",
+        ]:
             with self.subTest(url=invalid):
                 self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
         self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2024-07-10 20:30:12 +0200
committer	Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>	2024-07-31 16:12:23 +0200
commit	efea1ef7e2190e3f77ca0651b5458297bc0f6a9f (patch)
tree	69b0236736ffabd9de6d5963ab8e33fcc01eca9b /tests/admin_widgets/tests.py
parent	d0a82e26a74940bf0c78204933c3bdd6a283eb88 (diff)