[5.1.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Thank you to Elias Myllymäki for the report. Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2025-10-24 06:06:09 +00:00 · 2024-06-24 15:30:59 +02:00
parent 79246129f7
commit 44aef996c8
4 changed files with 86 additions and 24 deletions
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -352,6 +352,13 @@ class TestUtilsHtml(SimpleTestCase):
            "foo@.example.com",
            "foo@localhost",
            "foo@localhost.",
+            # trim_punctuation catastrophic tests
+            "(" * 100_000 + ":" + ")" * 100_000,
+            "(" * 100_000 + "&:" + ")" * 100_000,
+            "([" * 100_000 + ":" + "])" * 100_000,
+            "[(" * 100_000 + ":" + ")]" * 100_000,
+            "([[" * 100_000 + ":" + "]])" * 100_000,
+            "&:" + ";" * 100_000,
        )
        for value in tests:
            with self.subTest(value=value):