mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Browse Source 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
This commit is contained in:
Sarah Boyce
2024-08-12 15:17:57 +02:00
committed by Natalia
parent 6203965960
commit 022ab0a75c
7 changed files with 46 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/ref/templates/builtins.txt
View File

@@ -2932,6 +2932,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text.
.. warning::
Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
can become severe when applied to user controlled values such as content
stored in a :class:`~django.db.models.TextField`. You can use
:tfilter:`truncatechars` to add a limit to such inputs:
.. code-block:: html+django
{{ value|truncatechars:500|urlize }}
.. templatefilter:: urlizetrunc
``urlizetrunc``

7
docs/releases/4.2.16.txt
View File

@@ -7,4 +7,9 @@ Django 4.2.16 release notes
Django 4.2.16 fixes one security issue with severity "moderate" and one
security issue with severity "low" in 4.2.15.
...
CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

7
docs/releases/5.0.9.txt
View File

@@ -7,4 +7,9 @@ Django 5.0.9 release notes
Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8.
...
CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

7
docs/releases/5.1.1.txt
View File

@@ -7,6 +7,13 @@ Django 5.1.1 release notes
Django 5.1.1 fixes one security issue with severity "moderate", one security
issue with severity "low", and several bugs in 5.1.
CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
Bugfixes
========