mirror of
				https://github.com/django/django.git
				synced 2025-10-26 07:06:08 +00:00 
			
		
		
		
	[5.1.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
This commit is contained in:
		| @@ -410,7 +410,11 @@ class Urlizer: | ||||
|                         trimmed_something = True | ||||
|                         counts[closing] -= strip | ||||
|  | ||||
|             rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) | ||||
|             amp = middle.rfind("&") | ||||
|             if amp == -1: | ||||
|                 rstripped = middle.rstrip(self.trailing_punctuation_chars) | ||||
|             else: | ||||
|                 rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) | ||||
|             if rstripped != middle: | ||||
|                 trail = middle[len(rstripped) :] + trail | ||||
|                 middle = rstripped | ||||
| @@ -418,15 +422,9 @@ class Urlizer: | ||||
|  | ||||
|             if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): | ||||
|                 # Only strip if not part of an HTML entity. | ||||
|                 amp = middle.rfind("&") | ||||
|                 if amp == -1: | ||||
|                     can_strip = True | ||||
|                 else: | ||||
|                     potential_entity = middle[amp:] | ||||
|                     escaped = html.unescape(potential_entity) | ||||
|                     can_strip = (escaped == potential_entity) or escaped.endswith(";") | ||||
|  | ||||
|                 if can_strip: | ||||
|                 potential_entity = middle[amp:] | ||||
|                 escaped = html.unescape(potential_entity) | ||||
|                 if escaped == potential_entity or escaped.endswith(";"): | ||||
|                     rstripped = middle.rstrip(";") | ||||
|                     amount_stripped = len(middle) - len(rstripped) | ||||
|                     if amp > -1 and amount_stripped > 1: | ||||
|   | ||||
| @@ -16,6 +16,13 @@ consumption. | ||||
|  | ||||
| To avoid this, decimals with more than 200 digits are now returned as is. | ||||
|  | ||||
| CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` | ||||
| =========================================================================================== | ||||
|  | ||||
| :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential | ||||
| denial-of-service attack via very large inputs with a specific sequence of | ||||
| characters. | ||||
|  | ||||
| Bugfixes | ||||
| ======== | ||||
|  | ||||
|   | ||||
| @@ -16,6 +16,13 @@ consumption. | ||||
|  | ||||
| To avoid this, decimals with more than 200 digits are now returned as is. | ||||
|  | ||||
| CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` | ||||
| =========================================================================================== | ||||
|  | ||||
| :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential | ||||
| denial-of-service attack via very large inputs with a specific sequence of | ||||
| characters. | ||||
|  | ||||
| Bugfixes | ||||
| ======== | ||||
|  | ||||
|   | ||||
| @@ -359,6 +359,8 @@ class TestUtilsHtml(SimpleTestCase): | ||||
|             "[(" * 100_000 + ":" + ")]" * 100_000, | ||||
|             "([[" * 100_000 + ":" + "]])" * 100_000, | ||||
|             "&:" + ";" * 100_000, | ||||
|             "&.;" * 100_000, | ||||
|             ".;" * 100_000, | ||||
|         ) | ||||
|         for value in tests: | ||||
|             with self.subTest(value=value): | ||||
|   | ||||
		Reference in New Issue
	
	Block a user