Home Explore Help
Sign In
CityApper
/
django
mirror of https://github.com/django/django
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

[5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter.

Thanks sw0rd1ight for the report.

Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
Sarah Boyce 4 weeks ago
parent
e8d4030146
commit
4f27652323
4 changed files with 33 additions and 18 deletions
Split View Show Diff Stats
  1. 10 18
      django/utils/text.py
  2. 6 0
      docs/releases/4.2.20.txt
  3. 6 0
      docs/releases/5.0.13.txt
  4. 11 0
      tests/template_tests/filter_tests/test_wordwrap.py

+ 10 - 18
django/utils/text.py
View File 

@@ -1,6 +1,7 @@
 
 import gzip
 
 import re
 
 import secrets
 
+import textwrap
 
 import unicodedata
 
 from gzip import GzipFile
 
 from gzip import compress as gzip_compress
 
@@ -97,24 +98,15 @@ def wrap(text, width):
 
     ``width``.
 
     """
 
 
-    def _generator():
 
-        for line in text.splitlines(True):  # True keeps trailing linebreaks
 
-            max_width = min((line.endswith("\n") and width + 1 or width), width)
 
-            while len(line) > max_width:
 
-                space = line[: max_width + 1].rfind(" ") + 1
 
-                if space == 0:
 
-                    space = line.find(" ") + 1
 
-                    if space == 0:
 
-                        yield line
 
-                        line = ""
 
-                        break
 
-                yield "%s\n" % line[: space - 1]
 
-                line = line[space:]
 
-                max_width = min((line.endswith("\n") and width + 1 or width), width)
 
-            if line:
 
-                yield line
 
-
 
-    return "".join(_generator())
 
+    wrapper = textwrap.TextWrapper(
 
+        width=width,
 
+        break_long_words=False,
 
+        break_on_hyphens=False,
 
+    )
 
+    result = []
 
+    for line in text.splitlines(True):
 
+        result.extend(wrapper.wrap(line))
 
+    return "\n".join(result)
 
 
 
 def add_truncation_text(text, truncate=None):

+ 6 - 0
docs/releases/4.2.20.txt
View File 

@@ -5,3 +5,9 @@ Django 4.2.20 release notes
 
 *March 6, 2025*
 
 
 Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19.
 
+
 
+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
 
+=========================================================================================
 
+
 
+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
 
+potential denial-of-service attack when used with very long strings.

+ 6 - 0
docs/releases/5.0.13.txt
View File 

@@ -5,3 +5,9 @@ Django 5.0.13 release notes
 
 *March 6, 2025*
 
 
 Django 5.0.13 fixes a security issue with severity "moderate" in 5.0.12.
 
+
 
+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
 
+=========================================================================================
 
+
 
+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
 
+potential denial-of-service attack when used with very long strings.

+ 11 - 0
tests/template_tests/filter_tests/test_wordwrap.py
View File 

@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase):
 
             "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
 
             "I'm afraid",
 
         )
 
+
 
+    def test_wrap_long_text(self):
 
+        long_text = (
 
+            "this is a long paragraph of text that really needs"
 
+            " to be wrapped I'm afraid " * 20_000
 
+        )
 
+        self.assertIn(
 
+            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
 
+            "I'm afraid",
 
+            wordwrap(long_text, 10),
 
+        )