From 9f2ada875bbee62ac46032e38ddb22755d67ae5a Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Wed, 21 Jan 2026 09:53:10 -0300
Subject: [5.2.x] Fixed CVE-2026-1285 -- Mitigated potential DoS in
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main.
---
tests/utils_tests/test_text.py | 10 ++++++++++
1 file changed, 10 insertions(+)
(limited to 'tests/utils_tests/test_text.py')
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
index 63c7889cbc..11c01874cb 100644
--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
@@ -202,6 +202,16 @@ class TestUtilsText(SimpleTestCase):
truncator = text.Truncator("I <3 python, what about you?
")
self.assertEqual("I <3 python, wh…
", truncator.chars(16, html=True))
+ def test_truncate_chars_html_with_misnested_tags(self):
+ # LIFO removal keeps all tags when a middle tag is closed out of order.
+ # With , the doesn't match , so all tags remain
+ # in the stack and are properly closed at truncation.
+ truncator = text.Truncator("XXXX")
+ self.assertEqual(
+ truncator.chars(2, html=True, truncate=""),
+ "XX",
+ )
+
def test_truncate_words(self):
truncator = text.Truncator("The quick brown fox jumped over the lazy dog.")
self.assertEqual(
--
cgit v1.3