[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2025-10-31 09:41:08 +00:00 · 2024-08-12 15:17:57 +02:00
parent 05495d4f5e
commit 813de2672b
6 changed files with 56 additions and 9 deletions
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -425,14 +425,17 @@ class Urlizer:
                potential_entity = middle[amp:]
                escaped = html.unescape(potential_entity)
                if escaped == potential_entity or escaped.endswith(";"):
-                    rstripped = middle.rstrip(";")
-                    amount_stripped = len(middle) - len(rstripped)
-                    if amp > -1 and amount_stripped > 1:
-                        # Leave a trailing semicolon as might be an entity.
-                        trail = middle[len(rstripped) + 1 :] + trail
-                        middle = rstripped + ";"
+                    rstripped = middle.rstrip(self.trailing_punctuation_chars)
+                    trail_start = len(rstripped)
+                    amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
+                    if amp > -1 and amount_trailing_semicolons > 1:
+                        # Leave up to most recent semicolon as might be an entity.
+                        recent_semicolon = middle[trail_start:].index(";")
+                        middle_semicolon_index = recent_semicolon + trail_start + 1
+                        trail = middle[middle_semicolon_index:] + trail
+                        middle = rstripped + middle[trail_start:middle_semicolon_index]
                    else:
-                        trail = middle[len(rstripped) :] + trail
+                        trail = middle[trail_start:] + trail
                        middle = rstripped
                    trimmed_something = True