From c9731dc656e533187b021b4d81f8293d6c943a43 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Tue, 8 Apr 2025 16:30:17 +0200
Subject: [PATCH] [5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in
 strip_tags().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
---
 django/utils/html.py           |  6 ++++++
 docs/releases/4.2.21.txt       | 11 +++++++++++
 docs/releases/5.1.9.txt        | 11 +++++++++++
 docs/releases/5.2.1.txt        | 11 +++++++++++
 tests/utils_tests/test_html.py | 15 ++++++++++++++-
 5 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/django/utils/html.py b/django/utils/html.py
index 5ac07ba0ee..91224d20b2 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -42,6 +42,9 @@ VOID_ELEMENTS = frozenset(
 
 MAX_STRIP_TAGS_DEPTH = 50
 
+# HTML tag that opens but has no closing ">" after 1k+ chars.
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
+
 
 @keep_lazy(SafeString)
 def escape(text):
@@ -213,6 +216,9 @@ def _strip_once(value):
 def strip_tags(value):
     """Return the given HTML with all tags stripped."""
     value = str(value)
+    for long_open_tag in long_open_tag_without_closing_re.finditer(value):
+        if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
     # Note: in typical case this loop executes _strip_once twice (the second
     # execution does not remove any more tags).
     strip_tags_depth = 0
diff --git a/docs/releases/4.2.21.txt b/docs/releases/4.2.21.txt
index 306269a3e7..cc39105a01 100644
--- a/docs/releases/4.2.21.txt
+++ b/docs/releases/4.2.21.txt
@@ -7,6 +7,17 @@ Django 4.2.21 release notes
 Django 4.2.21 fixes a security issue with severity "moderate", a data loss bug,
 and a regression in 4.2.20.
 
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.1.9.txt b/docs/releases/5.1.9.txt
index dec03a6964..f238ac1f7e 100644
--- a/docs/releases/5.1.9.txt
+++ b/docs/releases/5.1.9.txt
@@ -7,6 +7,17 @@ Django 5.1.9 release notes
 Django 5.1.9 fixes a security issue with severity "moderate", a data loss bug,
 and a regression in 5.1.8.
 
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.2.1.txt b/docs/releases/5.2.1.txt
index 1f696a7551..0d7b40bf42 100644
--- a/docs/releases/5.2.1.txt
+++ b/docs/releases/5.2.1.txt
@@ -7,6 +7,17 @@ Django 5.2.1 release notes
 Django 5.2.1 fixes a security issue with severity "moderate" and several bugs
 in 5.2.
 
+CVE-2025-32873: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs
+containing large sequences of incomplete HTML tags. This function is used to
+implement the :tfilter:`striptags` template filter, which was thus also
+vulnerable.
+
+:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation`
+exception if it encounters an unusually large number of unclosed opening tags.
+
 Bugfixes
 ========
 
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 6d259d76d7..caf6598b3d 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -147,17 +147,30 @@ class TestUtilsHtml(SimpleTestCase):
             ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
             ("X<<<<br>br>br>br>X", "XX"),
             ("<" * 50 + "a>" * 50, ""),
+            (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
+            ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
+            ("<" + "a" * 1_002, "<" + "a" * 1_002),
         )
         for value, output in items:
             with self.subTest(value=value, output=output):
                 self.check_output(strip_tags, value, output)
                 self.check_output(strip_tags, lazystr(value), output)
 
-    def test_strip_tags_suspicious_operation(self):
+    def test_strip_tags_suspicious_operation_max_depth(self):
         value = "<" * 51 + "a>" * 51, "<a>"
         with self.assertRaises(SuspiciousOperation):
             strip_tags(value)
 
+    def test_strip_tags_suspicious_operation_large_open_tags(self):
+        items = [
+            ">" + "<a" * 501,
+            "<a" * 50 + "a" * 950,
+        ]
+        for value in items:
+            with self.subTest(value=value):
+                with self.assertRaises(SuspiciousOperation):
+                    strip_tags(value)
+
     def test_strip_tags_files(self):
         # Test with more lengthy content (also catching performance regressions)
         for filename in ("strip_tags1.html", "strip_tags2.txt"):