summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorSarah Boyce <42296566+sarahboyce@users.noreply.github.com>2024-08-12 15:17:57 +0200
committerNatalia <124304+nessita@users.noreply.github.com>2024-09-03 09:22:32 -0300
commit320dd27412e791e119d088281913d8f649617a13 (patch)
tree3eff9109166321340704f65baf0e9c6fc32eeedb /tests
parentf5ddd54986172c29c32f5d835584ea237d5a3781 (diff)
Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
Diffstat (limited to 'tests')
-rw-r--r--tests/template_tests/filter_tests/test_urlize.py5
-rw-r--r--tests/utils_tests/test_html.py1
2 files changed, 6 insertions, 0 deletions
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index c19103859e..546bd6c7d6 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -321,6 +321,11 @@ class FunctionTests(SimpleTestCase):
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>;;",
)
+ self.assertEqual(
+ urlize("http://example.com?x=&amp.;...;", autoescape=False),
+ '<a href="http://example.com?x=" rel="nofollow">'
+ "http://example.com?x=&amp</a>.;...;",
+ )
def test_brackets(self):
"""
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index befa73a555..b47919df99 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -396,6 +396,7 @@ class TestUtilsHtml(SimpleTestCase):
"&:" + ";" * 100_000,
"&.;" * 100_000,
".;" * 100_000,
+ "&" + ";:" * 100_000,
)
for value in tests:
with self.subTest(value=value):
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 22:57:31 +0000