From d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Mon, 12 Aug 2024 15:17:57 +0200
Subject: [4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and
urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
---
tests/template_tests/filter_tests/test_urlize.py | 22 ++++++++++++++++++++++
tests/utils_tests/test_html.py | 1 +
2 files changed, 23 insertions(+)
(limited to 'tests')
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index abc227ba6a..e542802aae 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -305,6 +305,28 @@ class FunctionTests(SimpleTestCase):
"http://testing.com/example.,:;)"!",
)
+ def test_trailing_semicolon(self):
+ self.assertEqual(
+ urlize("http://example.com?x=&", autoescape=False),
+ ''
+ "http://example.com?x=&",
+ )
+ self.assertEqual(
+ urlize("http://example.com?x=&;", autoescape=False),
+ ''
+ "http://example.com?x=&;",
+ )
+ self.assertEqual(
+ urlize("http://example.com?x=&;;", autoescape=False),
+ ''
+ "http://example.com?x=&;;",
+ )
+ self.assertEqual(
+ urlize("http://example.com?x=&.;...;", autoescape=False),
+ ''
+ "http://example.com?x=&.;...;",
+ )
+
def test_brackets(self):
"""
#19070 - Check urlize handles brackets properly
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 83ebe4334b..7ff5020fb6 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -364,6 +364,7 @@ class TestUtilsHtml(SimpleTestCase):
"&:" + ";" * 100_000,
"&.;" * 100_000,
".;" * 100_000,
+ "&" + ";:" * 100_000,
)
for value in tests:
with self.subTest(value=value):
--
cgit v1.3