mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	[5.1.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
This commit is contained in:
		| @@ -410,6 +410,10 @@ class Urlizer: | |||||||
|                         trimmed_something = True |                         trimmed_something = True | ||||||
|                         counts[closing] -= strip |                         counts[closing] -= strip | ||||||
|  |  | ||||||
|  |             amp = middle.rfind("&") | ||||||
|  |             if amp == -1: | ||||||
|  |                 rstripped = middle.rstrip(self.trailing_punctuation_chars) | ||||||
|  |             else: | ||||||
|                 rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) |                 rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon) | ||||||
|             if rstripped != middle: |             if rstripped != middle: | ||||||
|                 trail = middle[len(rstripped) :] + trail |                 trail = middle[len(rstripped) :] + trail | ||||||
| @@ -418,15 +422,9 @@ class Urlizer: | |||||||
|  |  | ||||||
|             if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): |             if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"): | ||||||
|                 # Only strip if not part of an HTML entity. |                 # Only strip if not part of an HTML entity. | ||||||
|                 amp = middle.rfind("&") |  | ||||||
|                 if amp == -1: |  | ||||||
|                     can_strip = True |  | ||||||
|                 else: |  | ||||||
|                 potential_entity = middle[amp:] |                 potential_entity = middle[amp:] | ||||||
|                 escaped = html.unescape(potential_entity) |                 escaped = html.unescape(potential_entity) | ||||||
|                     can_strip = (escaped == potential_entity) or escaped.endswith(";") |                 if escaped == potential_entity or escaped.endswith(";"): | ||||||
|  |  | ||||||
|                 if can_strip: |  | ||||||
|                     rstripped = middle.rstrip(";") |                     rstripped = middle.rstrip(";") | ||||||
|                     amount_stripped = len(middle) - len(rstripped) |                     amount_stripped = len(middle) - len(rstripped) | ||||||
|                     if amp > -1 and amount_stripped > 1: |                     if amp > -1 and amount_stripped > 1: | ||||||
|   | |||||||
| @@ -16,6 +16,13 @@ consumption. | |||||||
|  |  | ||||||
| To avoid this, decimals with more than 200 digits are now returned as is. | To avoid this, decimals with more than 200 digits are now returned as is. | ||||||
|  |  | ||||||
|  | CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` | ||||||
|  | =========================================================================================== | ||||||
|  |  | ||||||
|  | :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential | ||||||
|  | denial-of-service attack via very large inputs with a specific sequence of | ||||||
|  | characters. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -16,6 +16,13 @@ consumption. | |||||||
|  |  | ||||||
| To avoid this, decimals with more than 200 digits are now returned as is. | To avoid this, decimals with more than 200 digits are now returned as is. | ||||||
|  |  | ||||||
|  | CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` | ||||||
|  | =========================================================================================== | ||||||
|  |  | ||||||
|  | :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential | ||||||
|  | denial-of-service attack via very large inputs with a specific sequence of | ||||||
|  | characters. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -359,6 +359,8 @@ class TestUtilsHtml(SimpleTestCase): | |||||||
|             "[(" * 100_000 + ":" + ")]" * 100_000, |             "[(" * 100_000 + ":" + ")]" * 100_000, | ||||||
|             "([[" * 100_000 + ":" + "]])" * 100_000, |             "([[" * 100_000 + ":" + "]])" * 100_000, | ||||||
|             "&:" + ";" * 100_000, |             "&:" + ";" * 100_000, | ||||||
|  |             "&.;" * 100_000, | ||||||
|  |             ".;" * 100_000, | ||||||
|         ) |         ) | ||||||
|         for value in tests: |         for value in tests: | ||||||
|             with self.subTest(value=value): |             with self.subTest(value=value): | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user