diff options
Diffstat (limited to 'django/utils/html.py')
| -rw-r--r-- | django/utils/html.py | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/django/utils/html.py b/django/utils/html.py index a4fc1ab557..a2686d065b 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -36,6 +36,8 @@ VOID_ELEMENTS = { "spacer", } +MAX_URL_LENGTH = 2048 + @keep_lazy(SafeString) def escape(text): @@ -330,9 +332,9 @@ class Urlizer: # Make URL we want to point to. url = None nofollow_attr = ' rel="nofollow"' if nofollow else "" - if self.simple_url_re.match(middle): + if len(middle) <= MAX_URL_LENGTH and self.simple_url_re.match(middle): url = smart_urlquote(html.unescape(middle)) - elif self.simple_url_2_re.match(middle): + elif len(middle) <= MAX_URL_LENGTH and self.simple_url_2_re.match(middle): url = smart_urlquote("http://%s" % html.unescape(middle)) elif ":" not in middle and self.is_email_simple(middle): local, domain = middle.rsplit("@", 1) @@ -447,6 +449,10 @@ class Urlizer: except ValueError: # value contains more than one @. return False + # Max length for domain name labels is 63 characters per RFC 1034. + # Helps to avoid ReDoS vectors in the domain part. + if len(p2) > 63: + return False # Dot must be in p2 (e.g. example.com) if "." not in p2 or p2.startswith("."): return False |