mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
This commit is contained in:
		| @@ -43,6 +43,9 @@ VOID_ELEMENTS = frozenset( | |||||||
|  |  | ||||||
| MAX_STRIP_TAGS_DEPTH = 50 | MAX_STRIP_TAGS_DEPTH = 50 | ||||||
|  |  | ||||||
|  | # HTML tag that opens but has no closing ">" after 1k+ chars. | ||||||
|  | long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}") | ||||||
|  |  | ||||||
|  |  | ||||||
| @keep_lazy(SafeString) | @keep_lazy(SafeString) | ||||||
| def escape(text): | def escape(text): | ||||||
| @@ -208,6 +211,9 @@ def _strip_once(value): | |||||||
| def strip_tags(value): | def strip_tags(value): | ||||||
|     """Return the given HTML with all tags stripped.""" |     """Return the given HTML with all tags stripped.""" | ||||||
|     value = str(value) |     value = str(value) | ||||||
|  |     for long_open_tag in long_open_tag_without_closing_re.finditer(value): | ||||||
|  |         if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH: | ||||||
|  |             raise SuspiciousOperation | ||||||
|     # Note: in typical case this loop executes _strip_once twice (the second |     # Note: in typical case this loop executes _strip_once twice (the second | ||||||
|     # execution does not remove any more tags). |     # execution does not remove any more tags). | ||||||
|     strip_tags_depth = 0 |     strip_tags_depth = 0 | ||||||
|   | |||||||
| @@ -7,6 +7,17 @@ Django 4.2.21 release notes | |||||||
| Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug, | Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug, | ||||||
| and a regression in 4.2.20. | and a regression in 4.2.20. | ||||||
|  |  | ||||||
|  | CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` | ||||||
|  | ================================================================= | ||||||
|  |  | ||||||
|  | :func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs | ||||||
|  | containing large sequences of incomplete HTML tags. This function is used to | ||||||
|  | implement the :tfilter:`striptags` template filter, which was thus also | ||||||
|  | vulnerable. | ||||||
|  |  | ||||||
|  | :func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` | ||||||
|  | exception if it encounters an unusually large number of unclosed opening tags. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -7,6 +7,17 @@ Django 5.1.9 release notes | |||||||
| Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug, | Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug, | ||||||
| and a regression in 5.1.8. | and a regression in 5.1.8. | ||||||
|  |  | ||||||
|  | CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` | ||||||
|  | ================================================================= | ||||||
|  |  | ||||||
|  | :func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs | ||||||
|  | containing large sequences of incomplete HTML tags. This function is used to | ||||||
|  | implement the :tfilter:`striptags` template filter, which was thus also | ||||||
|  | vulnerable. | ||||||
|  |  | ||||||
|  | :func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` | ||||||
|  | exception if it encounters an unusually large number of unclosed opening tags. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -7,6 +7,17 @@ Django 5.2.1 release notes | |||||||
| Django 5.2.1 fixes a security issue with severity "moderate" and several bugs | Django 5.2.1 fixes a security issue with severity "moderate" and several bugs | ||||||
| in 5.2. | in 5.2. | ||||||
|  |  | ||||||
|  | CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` | ||||||
|  | ================================================================= | ||||||
|  |  | ||||||
|  | :func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs | ||||||
|  | containing large sequences of incomplete HTML tags. This function is used to | ||||||
|  | implement the :tfilter:`striptags` template filter, which was thus also | ||||||
|  | vulnerable. | ||||||
|  |  | ||||||
|  | :func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` | ||||||
|  | exception if it encounters an unusually large number of unclosed opening tags. | ||||||
|  |  | ||||||
| Bugfixes | Bugfixes | ||||||
| ======== | ======== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -145,17 +145,30 @@ class TestUtilsHtml(SimpleTestCase): | |||||||
|             ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"), |             ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"), | ||||||
|             ("X<<<<br>br>br>br>X", "XX"), |             ("X<<<<br>br>br>br>X", "XX"), | ||||||
|             ("<" * 50 + "a>" * 50, ""), |             ("<" * 50 + "a>" * 50, ""), | ||||||
|  |             (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"), | ||||||
|  |             ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951), | ||||||
|  |             ("<" + "a" * 1_002, "<" + "a" * 1_002), | ||||||
|         ) |         ) | ||||||
|         for value, output in items: |         for value, output in items: | ||||||
|             with self.subTest(value=value, output=output): |             with self.subTest(value=value, output=output): | ||||||
|                 self.check_output(strip_tags, value, output) |                 self.check_output(strip_tags, value, output) | ||||||
|                 self.check_output(strip_tags, lazystr(value), output) |                 self.check_output(strip_tags, lazystr(value), output) | ||||||
|  |  | ||||||
|     def test_strip_tags_suspicious_operation(self): |     def test_strip_tags_suspicious_operation_max_depth(self): | ||||||
|         value = "<" * 51 + "a>" * 51, "<a>" |         value = "<" * 51 + "a>" * 51, "<a>" | ||||||
|         with self.assertRaises(SuspiciousOperation): |         with self.assertRaises(SuspiciousOperation): | ||||||
|             strip_tags(value) |             strip_tags(value) | ||||||
|  |  | ||||||
|  |     def test_strip_tags_suspicious_operation_large_open_tags(self): | ||||||
|  |         items = [ | ||||||
|  |             ">" + "<a" * 501, | ||||||
|  |             "<a" * 50 + "a" * 950, | ||||||
|  |         ] | ||||||
|  |         for value in items: | ||||||
|  |             with self.subTest(value=value): | ||||||
|  |                 with self.assertRaises(SuspiciousOperation): | ||||||
|  |                     strip_tags(value) | ||||||
|  |  | ||||||
|     def test_strip_tags_files(self): |     def test_strip_tags_files(self): | ||||||
|         # Test with more lengthy content (also catching performance regressions) |         # Test with more lengthy content (also catching performance regressions) | ||||||
|         for filename in ("strip_tags1.html", "strip_tags2.txt"): |         for filename in ("strip_tags1.html", "strip_tags2.txt"): | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user