mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-09 17:02:43 +00:00
Code Issues 32 Releases Wiki Activity

[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Browse Source 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
This commit is contained in:
Sarah Boyce 2024-08-12 15:17:57 +02:00 committed by Natalia
parent 05495d4f5e
commit 813de2672b
6 changed files with 56 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
django/utils/html.py
View File

@ -425,14 +425,17 @@ class Urlizer:
potential_entity = middle[amp:] potential_entity = middle[amp:]
escaped = html.unescape(potential_entity) escaped = html.unescape(potential_entity)
if escaped == potential_entity or escaped.endswith(";"): if escaped == potential_entity or escaped.endswith(";"):
rstripped = middle.rstrip(";") rstripped = middle.rstrip(self.trailing_punctuation_chars)
amount_stripped = len(middle) - len(rstripped) trail_start = len(rstripped)
if amp > -1 and amount_stripped > 1: amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
# Leave a trailing semicolon as might be an entity. if amp > -1 and amount_trailing_semicolons > 1:
trail = middle[len(rstripped) + 1 :] + trail # Leave up to most recent semicolon as might be an entity.
middle = rstripped + ";" recent_semicolon = middle[trail_start:].index(";")
middle_semicolon_index = recent_semicolon + trail_start + 1
trail = middle[middle_semicolon_index:] + trail
middle = rstripped + middle[trail_start:middle_semicolon_index]
else: else:
trail = middle[len(rstripped) :] + trail trail = middle[trail_start:] + trail
middle = rstripped middle = rstripped
trimmed_something = True trimmed_something = True

11
docs/ref/templates/builtins.txt
View File

@ -2855,6 +2855,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text. expected. Apply this filter only to plain text.
.. warning::
Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
can become severe when applied to user controlled values such as content
stored in a :class:`~django.db.models.TextField`. You can use
:tfilter:`truncatechars` to add a limit to such inputs:
.. code-block:: html+django
{{ value|truncatechars:500|urlize }}
.. templatefilter:: urlizetrunc .. templatefilter:: urlizetrunc
``urlizetrunc`` ``urlizetrunc``

7
docs/releases/4.2.16.txt
View File

@ -7,4 +7,9 @@ Django 4.2.16 release notes
Django 4.2.16 fixes one security issue with severity "moderate" and one Django 4.2.16 fixes one security issue with severity "moderate" and one
security issue with severity "low" in 4.2.15. security issue with severity "low" in 4.2.15.
... CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

7
docs/releases/5.0.9.txt
View File

@ -7,4 +7,9 @@ Django 5.0.9 release notes
Django 5.0.9 fixes one security issue with severity "moderate" and one security Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8. issue with severity "low" in 5.0.8.
... CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================
:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.

22
tests/template_tests/filter_tests/test_urlize.py
View File

@ -305,6 +305,28 @@ class FunctionTests(SimpleTestCase):
"http://testing.com/example</a>.,:;)&quot;!", "http://testing.com/example</a>.,:;)&quot;!",
) )
def test_trailing_semicolon(self):
self.assertEqual(
urlize("http://example.com?x=&amp;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>",
)
self.assertEqual(
urlize("http://example.com?x=&amp;;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>;",
)
self.assertEqual(
urlize("http://example.com?x=&amp;;;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>;;",
)
self.assertEqual(
urlize("http://example.com?x=&amp.;...;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp</a>.;...;",
)
def test_brackets(self): def test_brackets(self):
""" """
#19070 - Check urlize handles brackets properly #19070 - Check urlize handles brackets properly

1
tests/utils_tests/test_html.py
View File

@ -374,6 +374,7 @@ class TestUtilsHtml(SimpleTestCase):
"&:" + ";" * 100_000, "&:" + ";" * 100_000,
"&.;" * 100_000, "&.;" * 100_000,
".;" * 100_000, ".;" * 100_000,
"&" + ";:" * 100_000,
) )
for value in tests: for value in tests:
with self.subTest(value=value): with self.subTest(value=value):