mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Browse Source 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
This commit is contained in:
Sarah Boyce
2024-08-12 15:17:57 +02:00
committed by Natalia
parent 05495d4f5e
commit 813de2672b
6 changed files with 56 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
tests/template_tests/filter_tests/test_urlize.py
View File

@@ -305,6 +305,28 @@ class FunctionTests(SimpleTestCase):
"http://testing.com/example</a>.,:;)&quot;!",
)
def test_trailing_semicolon(self):
self.assertEqual(
urlize("http://example.com?x=&amp;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>",
)
self.assertEqual(
urlize("http://example.com?x=&amp;;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>;",
)
self.assertEqual(
urlize("http://example.com?x=&amp;;;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>;;",
)
self.assertEqual(
urlize("http://example.com?x=&amp.;...;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp</a>.;...;",
)
def test_brackets(self):
"""
#19070 - Check urlize handles brackets properly