Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.

Thanks Wenchao Li of Alibaba Group for the report.
2025-10-31 09:41:08 +00:00 · 2023-09-19 09:51:48 -03:00
parent 1dae65dc63
commit 17b51094d7
6 changed files with 115 additions and 13 deletions
--- a/docs/releases/4.2.6.txt
+++ b/docs/releases/4.2.6.txt
@@ -7,6 +7,24 @@ Django 4.2.6 release notes
 Django 4.2.6 fixes a security issue with severity "moderate" and several bugs
 in 4.2.5.

+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+Following the fix for :cve:`2019-14232`, the regular expressions used in the
+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
+methods (with ``html=True``) were revised and improved. However, these regular
+expressions still exhibited linear backtracking complexity, so when given a
+very long, potentially malformed HTML input, the evaluation would still be
+slow, leading to a potential denial of service vulnerability.
+
+The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus also vulnerable.
+
+The input processed by ``Truncator``, when operating in HTML mode, has been
+limited to the first five million characters in order to avoid potential
+performance and memory issues.
+
 Bugfixes
 ========