1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00

Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.

Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
This commit is contained in:
Mariusz Felisiak 2024-07-10 20:30:12 +02:00 committed by Sarah Boyce
parent ecf1f8fb90
commit 5f1757142f
6 changed files with 42 additions and 4 deletions

View File

@ -393,7 +393,7 @@ class AdminURLFieldWidget(forms.URLInput):
context["current_label"] = _("Currently:") context["current_label"] = _("Currently:")
context["change_label"] = _("Change:") context["change_label"] = _("Change:")
context["widget"]["href"] = ( context["widget"]["href"] = (
smart_urlquote(context["widget"]["value"]) if value else "" smart_urlquote(context["widget"]["value"]) if url_valid else ""
) )
context["url_valid"] = url_valid context["url_valid"] = url_valid
return context return context

View File

@ -38,6 +38,8 @@ VOID_ELEMENTS = frozenset(
) )
) )
MAX_URL_LENGTH = 2048
@keep_lazy(SafeString) @keep_lazy(SafeString)
def escape(text): def escape(text):
@ -332,9 +334,9 @@ class Urlizer:
# Make URL we want to point to. # Make URL we want to point to.
url = None url = None
nofollow_attr = ' rel="nofollow"' if nofollow else "" nofollow_attr = ' rel="nofollow"' if nofollow else ""
if self.simple_url_re.match(middle): if len(middle) <= MAX_URL_LENGTH and self.simple_url_re.match(middle):
url = smart_urlquote(html.unescape(middle)) url = smart_urlquote(html.unescape(middle))
elif self.simple_url_2_re.match(middle): elif len(middle) <= MAX_URL_LENGTH and self.simple_url_2_re.match(middle):
url = smart_urlquote("http://%s" % html.unescape(middle)) url = smart_urlquote("http://%s" % html.unescape(middle))
elif ":" not in middle and self.is_email_simple(middle): elif ":" not in middle and self.is_email_simple(middle):
local, domain = middle.rsplit("@", 1) local, domain = middle.rsplit("@", 1)
@ -449,6 +451,10 @@ class Urlizer:
except ValueError: except ValueError:
# value contains more than one @. # value contains more than one @.
return False return False
# Max length for domain name labels is 63 characters per RFC 1034.
# Helps to avoid ReDoS vectors in the domain part.
if len(p2) > 63:
return False
# Dot must be in p2 (e.g. example.com) # Dot must be in p2 (e.g. example.com)
if "." not in p2 or p2.startswith("."): if "." not in p2 or p2.startswith("."):
return False return False

View File

@ -23,6 +23,13 @@ CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html
denial-of-service attack via very large inputs with a specific sequence of denial-of-service attack via very large inputs with a specific sequence of
characters. characters.
CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================
:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
Bugfixes Bugfixes
======== ========

View File

@ -23,6 +23,13 @@ CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html
denial-of-service attack via very large inputs with a specific sequence of denial-of-service attack via very large inputs with a specific sequence of
characters. characters.
CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
=======================================================================================================================
:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
subject to a potential denial-of-service attack via certain inputs with a very
large number of Unicode characters.
Bugfixes Bugfixes
======== ========

View File

@ -463,7 +463,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
class AdminURLWidgetTest(SimpleTestCase): class AdminURLWidgetTest(SimpleTestCase):
def test_get_context_validates_url(self): def test_get_context_validates_url(self):
w = widgets.AdminURLFieldWidget() w = widgets.AdminURLFieldWidget()
for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']: for invalid in [
"",
"/not/a/full/url/",
'javascript:alert("Danger XSS!")',
"http://" + "한.글." * 1_000_000 + "com",
]:
with self.subTest(url=invalid): with self.subTest(url=invalid):
self.assertFalse(w.get_context("name", invalid, {})["url_valid"]) self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"]) self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])

View File

@ -338,6 +338,15 @@ class TestUtilsHtml(SimpleTestCase):
'Search for <a href="http://google.com/?q=">google.com/?q=</a>!', 'Search for <a href="http://google.com/?q=">google.com/?q=</a>!',
), ),
("foo@example.com", '<a href="mailto:foo@example.com">foo@example.com</a>'), ("foo@example.com", '<a href="mailto:foo@example.com">foo@example.com</a>'),
(
"test@" + "한.글." * 15 + "aaa",
'<a href="mailto:test@'
+ "xn--6q8b.xn--bj0b." * 15
+ 'aaa">'
+ "test@"
+ "한.글." * 15
+ "aaa</a>",
),
) )
for value, output in tests: for value, output in tests:
with self.subTest(value=value): with self.subTest(value=value):
@ -346,6 +355,10 @@ class TestUtilsHtml(SimpleTestCase):
def test_urlize_unchanged_inputs(self): def test_urlize_unchanged_inputs(self):
tests = ( tests = (
("a" + "@a" * 50000) + "a", # simple_email_re catastrophic test ("a" + "@a" * 50000) + "a", # simple_email_re catastrophic test
# Unicode domain catastrophic tests.
"a@" + "한.글." * 1_000_000 + "a",
"http://" + "한.글." * 1_000_000 + "com",
"www." + "한.글." * 1_000_000 + "com",
("a" + "." * 1000000) + "a", # trailing_punctuation catastrophic test ("a" + "." * 1000000) + "a", # trailing_punctuation catastrophic test
"foo@", "foo@",
"@foo.com", "@foo.com",