1
0
mirror of https://github.com/django/django.git synced 2025-10-25 22:56:12 +00:00

[5.1.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.

Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
This commit is contained in:
Mariusz Felisiak
2024-07-10 20:30:12 +02:00
committed by Sarah Boyce
parent 0c1a890916
commit bd807c0c25
6 changed files with 42 additions and 4 deletions

View File

@@ -462,7 +462,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
class AdminURLWidgetTest(SimpleTestCase):
def test_get_context_validates_url(self):
w = widgets.AdminURLFieldWidget()
for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
for invalid in [
"",
"/not/a/full/url/",
'javascript:alert("Danger XSS!")',
"http://" + "한.글." * 1_000_000 + "com",
]:
with self.subTest(url=invalid):
self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])