Home Explore Help
Sign In
CityApper
/
django
mirror of https://github.com/django/django
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
Sarah Boyce 7 months ago
parent
05495d4f5e
commit
813de2672b
6 changed files with 56 additions and 9 deletions
Split View Show Diff Stats
  1. 10 7
      django/utils/html.py
  2. 11 0
      docs/ref/templates/builtins.txt
  3. 6 1
      docs/releases/4.2.16.txt
  4. 6 1
      docs/releases/5.0.9.txt
  5. 22 0
      tests/template_tests/filter_tests/test_urlize.py
  6. 1 0
      tests/utils_tests/test_html.py

+ 10 - 7
django/utils/html.py
View File 

@@ -425,14 +425,17 @@ class Urlizer:
 
                 potential_entity = middle[amp:]
 
                 escaped = html.unescape(potential_entity)
 
                 if escaped == potential_entity or escaped.endswith(";"):
 
-                    rstripped = middle.rstrip(";")
 
-                    amount_stripped = len(middle) - len(rstripped)
 
-                    if amp > -1 and amount_stripped > 1:
 
-                        # Leave a trailing semicolon as might be an entity.
 
-                        trail = middle[len(rstripped) + 1 :] + trail
 
-                        middle = rstripped + ";"
 
+                    rstripped = middle.rstrip(self.trailing_punctuation_chars)
 
+                    trail_start = len(rstripped)
 
+                    amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
 
+                    if amp > -1 and amount_trailing_semicolons > 1:
 
+                        # Leave up to most recent semicolon as might be an entity.
 
+                        recent_semicolon = middle[trail_start:].index(";")
 
+                        middle_semicolon_index = recent_semicolon + trail_start + 1
 
+                        trail = middle[middle_semicolon_index:] + trail
 
+                        middle = rstripped + middle[trail_start:middle_semicolon_index]
 
                     else:
 
-                        trail = middle[len(rstripped) :] + trail
 
+                        trail = middle[trail_start:] + trail
 
                         middle = rstripped
 
                     trimmed_something = True

+ 11 - 0
docs/ref/templates/builtins.txt
View File 

@@ -2855,6 +2855,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
 
     email addresses that contain single quotes (``'``), things won't work as
 
     expected. Apply this filter only to plain text.
 
 
+.. warning::
 
+
 
+    Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
 
+    can become severe when applied to user controlled values such as content
 
+    stored in a :class:`~django.db.models.TextField`. You can use
 
+    :tfilter:`truncatechars` to add a limit to such inputs:
 
+
 
+    .. code-block:: html+django
 
+
 
+        {{ value|truncatechars:500|urlize }}
 
+
 
 .. templatefilter:: urlizetrunc
 
 
 ``urlizetrunc``

+ 6 - 1
docs/releases/4.2.16.txt
View File 

@@ -7,4 +7,9 @@ Django 4.2.16 release notes
 
 Django 4.2.16 fixes one security issue with severity "moderate" and one
 
 security issue with severity "low" in 4.2.15.
 
 
-...
 
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
 
+===========================================================================================
 
+
 
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
 
+denial-of-service attack via very large inputs with a specific sequence of
 
+characters.

+ 6 - 1
docs/releases/5.0.9.txt
View File 

@@ -7,4 +7,9 @@ Django 5.0.9 release notes
 
 Django 5.0.9 fixes one security issue with severity "moderate" and one security
 
 issue with severity "low" in 5.0.8.
 
 
-...
 
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
 
+===========================================================================================
 
+
 
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
 
+denial-of-service attack via very large inputs with a specific sequence of
 
+characters.

+ 22 - 0
tests/template_tests/filter_tests/test_urlize.py
View File 

@@ -305,6 +305,28 @@ class FunctionTests(SimpleTestCase):
 
             "http://testing.com/example</a>.,:;)&quot;!",
 
         )
 
 
+    def test_trailing_semicolon(self):
 
+        self.assertEqual(
 
+            urlize("http://example.com?x=&amp;", autoescape=False),
 
+            '<a href="http://example.com?x=" rel="nofollow">'
 
+            "http://example.com?x=&amp;</a>",
 
+        )
 
+        self.assertEqual(
 
+            urlize("http://example.com?x=&amp;;", autoescape=False),
 
+            '<a href="http://example.com?x=" rel="nofollow">'
 
+            "http://example.com?x=&amp;</a>;",
 
+        )
 
+        self.assertEqual(
 
+            urlize("http://example.com?x=&amp;;;", autoescape=False),
 
+            '<a href="http://example.com?x=" rel="nofollow">'
 
+            "http://example.com?x=&amp;</a>;;",
 
+        )
 
+        self.assertEqual(
 
+            urlize("http://example.com?x=&amp.;...;", autoescape=False),
 
+            '<a href="http://example.com?x=" rel="nofollow">'
 
+            "http://example.com?x=&amp</a>.;...;",
 
+        )
 
+
 
     def test_brackets(self):
 
         """
 
         #19070 - Check urlize handles brackets properly

+ 1 - 0
tests/utils_tests/test_html.py
View File 

@@ -374,6 +374,7 @@ class TestUtilsHtml(SimpleTestCase):
 
             "&:" + ";" * 100_000,
 
             "&.;" * 100_000,
 
             ".;" * 100_000,
 
+            "&" + ";:" * 100_000,
 
         )
 
         for value in tests:
 
             with self.subTest(value=value):