mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[5.0.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.

Browse Source 
Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
This commit is contained in:
Mariusz Felisiak
2024-07-10 20:30:12 +02:00
committed by Sarah Boyce
parent 7b7b909579
commit 523da8771b
6 changed files with 42 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
tests/admin_widgets/tests.py
View File

@@ -462,7 +462,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
class AdminURLWidgetTest(SimpleTestCase):
def test_get_context_validates_url(self):
w = widgets.AdminURLFieldWidget()
for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
for invalid in [
"",
"/not/a/full/url/",
'javascript:alert("Danger XSS!")',
"http://" + "한.글." * 1_000_000 + "com",
]:
with self.subTest(url=invalid):
self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])