From efea1ef7e2190e3f77ca0651b5458297bc0f6a9f Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 10 Jul 2024 20:30:12 +0200
Subject: [4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in
 django.utils.html.urlize() and AdminURLFieldWidget.

Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
---
 tests/admin_widgets/tests.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'tests/admin_widgets/tests.py')

diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
index 0e20206048..4281ed07c6 100644
--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
@@ -461,7 +461,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
 class AdminURLWidgetTest(SimpleTestCase):
     def test_get_context_validates_url(self):
         w = widgets.AdminURLFieldWidget()
-        for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
+        for invalid in [
+            "",
+            "/not/a/full/url/",
+            'javascript:alert("Danger XSS!")',
+            "http://" + "한.글." * 1_000_000 + "com",
+        ]:
             with self.subTest(url=invalid):
                 self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
         self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])
-- 
cgit v1.3