[2.0.x] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.

Thanks Florian Apolloner for assisting with the patch.
author: Tim Graham <timograham@gmail.com> 2018-02-24 11:30:11 -0500
committer: Tim Graham <timograham@gmail.com> 2018-03-06 08:52:23 -0500
commit: e157315da3ae7005fa0683ffc9751dbeca7306c8 (patch)
tree: 694cffd122b307d5f4159f70e6bb7ceacffc12a9 /tests/utils_tests/test_html.py
parent: 2da00644764fef7cd4fb6200894ca13bc140b037 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 08b31bc55a..077729b069 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -5,7 +5,7 @@ from django.test import SimpleTestCase
 from django.utils.functional import lazystr
 from django.utils.html import (
     conditional_escape, escape, escapejs, format_html, html_safe, linebreaks,
-    smart_urlquote, strip_spaces_between_tags, strip_tags,
+    smart_urlquote, strip_spaces_between_tags, strip_tags, urlize,
 )
 from django.utils.safestring import mark_safe
 
@@ -216,3 +216,12 @@ class TestUtilsHtml(SimpleTestCase):
             @html_safe
             class HtmlClass:
                 pass
+
+    def test_urlize_unchanged_inputs(self):
+        tests = (
+            ('a' + '@a' * 50000) + 'a',  # simple_email_re catastrophic test
+            ('a' + '.' * 1000000) + 'a',  # trailing_punctuation catastrophic test
+        )
+        for value in tests:
+            with self.subTest(value=value):
+                self.assertEqual(urlize(value), value)
author	Tim Graham <timograham@gmail.com>	2018-02-24 11:30:11 -0500
committer	Tim Graham <timograham@gmail.com>	2018-03-06 08:52:23 -0500
commit	e157315da3ae7005fa0683ffc9751dbeca7306c8 (patch)
tree	694cffd122b307d5f4159f70e6bb7ceacffc12a9 /tests/utils_tests/test_html.py
parent	2da00644764fef7cd4fb6200894ca13bc140b037 (diff)