[5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2025-10-24 06:06:09 +00:00 · 2024-08-12 15:17:57 +02:00
parent 6203965960
commit 022ab0a75c
7 changed files with 46 additions and 9 deletions
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2932,6 +2932,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
    email addresses that contain single quotes (``'``), things won't work as
    expected. Apply this filter only to plain text.

+.. warning::
+
+    Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
+    can become severe when applied to user controlled values such as content
+    stored in a :class:`~django.db.models.TextField`. You can use
+    :tfilter:`truncatechars` to add a limit to such inputs:
+
+    .. code-block:: html+django
+
+        {{ value|truncatechars:500|urlize }}
+
 .. templatefilter:: urlizetrunc

 ``urlizetrunc``