134 lines
6.0 KiB
Diff
134 lines
6.0 KiB
Diff
From 65a776dd25b657cc32edafaad98d91aa0b51e641 Mon Sep 17 00:00:00 2001
|
|
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
Date: Mon, 12 Aug 2024 15:17:57 +0200
|
|
Subject: [PATCH 1/2] [4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS
|
|
in urlize and urlizetrunc template filters.
|
|
|
|
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
|
|
---
|
|
django/utils/html.py | 17 ++++++++------
|
|
docs/ref/templates/builtins.txt | 11 ++++++++++
|
|
docs/releases/4.2.16.txt | 15 +++++++++++++
|
|
docs/releases/index.txt | 1 +
|
|
.../filter_tests/test_urlize.py | 22 +++++++++++++++++++
|
|
tests/utils_tests/test_html.py | 1 +
|
|
6 files changed, 60 insertions(+), 7 deletions(-)
|
|
create mode 100644 docs/releases/4.2.16.txt
|
|
|
|
Index: Django-4.2.11/django/utils/html.py
|
|
===================================================================
|
|
--- Django-4.2.11.orig/django/utils/html.py
|
|
+++ Django-4.2.11/django/utils/html.py
|
|
@@ -395,14 +395,17 @@ class Urlizer:
|
|
potential_entity = middle[amp:]
|
|
escaped = html.unescape(potential_entity)
|
|
if escaped == potential_entity or escaped.endswith(";"):
|
|
- rstripped = middle.rstrip(";")
|
|
- amount_stripped = len(middle) - len(rstripped)
|
|
- if amp > -1 and amount_stripped > 1:
|
|
- # Leave a trailing semicolon as might be an entity.
|
|
- trail = middle[len(rstripped) + 1 :] + trail
|
|
- middle = rstripped + ";"
|
|
+ rstripped = middle.rstrip(self.trailing_punctuation_chars)
|
|
+ trail_start = len(rstripped)
|
|
+ amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
|
|
+ if amp > -1 and amount_trailing_semicolons > 1:
|
|
+ # Leave up to most recent semicolon as might be an entity.
|
|
+ recent_semicolon = middle[trail_start:].index(";")
|
|
+ middle_semicolon_index = recent_semicolon + trail_start + 1
|
|
+ trail = middle[middle_semicolon_index:] + trail
|
|
+ middle = rstripped + middle[trail_start:middle_semicolon_index]
|
|
else:
|
|
- trail = middle[len(rstripped) :] + trail
|
|
+ trail = middle[trail_start:] + trail
|
|
middle = rstripped
|
|
trimmed_something = True
|
|
|
|
Index: Django-4.2.11/docs/ref/templates/builtins.txt
|
|
===================================================================
|
|
--- Django-4.2.11.orig/docs/ref/templates/builtins.txt
|
|
+++ Django-4.2.11/docs/ref/templates/builtins.txt
|
|
@@ -2831,6 +2831,17 @@ Django's built-in :tfilter:`escape` filt
|
|
email addresses that contain single quotes (``'``), things won't work as
|
|
expected. Apply this filter only to plain text.
|
|
|
|
+.. warning::
|
|
+
|
|
+ Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
|
|
+ can become severe when applied to user controlled values such as content
|
|
+ stored in a :class:`~django.db.models.TextField`. You can use
|
|
+ :tfilter:`truncatechars` to add a limit to such inputs:
|
|
+
|
|
+ .. code-block:: html+django
|
|
+
|
|
+ {{ value|truncatechars:500|urlize }}
|
|
+
|
|
.. templatefilter:: urlizetrunc
|
|
|
|
``urlizetrunc``
|
|
Index: Django-4.2.11/docs/releases/4.2.16.txt
|
|
===================================================================
|
|
--- /dev/null
|
|
+++ Django-4.2.11/docs/releases/4.2.16.txt
|
|
@@ -0,0 +1,15 @@
|
|
+===========================
|
|
+Django 4.2.16 release notes
|
|
+===========================
|
|
+
|
|
+*September 3, 2024*
|
|
+
|
|
+Django 4.2.16 fixes one security issue with severity "moderate" and one
|
|
+security issues with severity "low" in 4.2.15.
|
|
+
|
|
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
|
|
+===========================================================================================
|
|
+
|
|
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
|
|
+denial-of-service attack via very large inputs with a specific sequence of
|
|
+characters.
|
|
Index: Django-4.2.11/tests/template_tests/filter_tests/test_urlize.py
|
|
===================================================================
|
|
--- Django-4.2.11.orig/tests/template_tests/filter_tests/test_urlize.py
|
|
+++ Django-4.2.11/tests/template_tests/filter_tests/test_urlize.py
|
|
@@ -305,6 +305,28 @@ class FunctionTests(SimpleTestCase):
|
|
"http://testing.com/example</a>.,:;)"!",
|
|
)
|
|
|
|
+ def test_trailing_semicolon(self):
|
|
+ self.assertEqual(
|
|
+ urlize("http://example.com?x=&", autoescape=False),
|
|
+ '<a href="http://example.com?x=" rel="nofollow">'
|
|
+ "http://example.com?x=&</a>",
|
|
+ )
|
|
+ self.assertEqual(
|
|
+ urlize("http://example.com?x=&;", autoescape=False),
|
|
+ '<a href="http://example.com?x=" rel="nofollow">'
|
|
+ "http://example.com?x=&</a>;",
|
|
+ )
|
|
+ self.assertEqual(
|
|
+ urlize("http://example.com?x=&;;", autoescape=False),
|
|
+ '<a href="http://example.com?x=" rel="nofollow">'
|
|
+ "http://example.com?x=&</a>;;",
|
|
+ )
|
|
+ self.assertEqual(
|
|
+ urlize("http://example.com?x=&.;...;", autoescape=False),
|
|
+ '<a href="http://example.com?x=" rel="nofollow">'
|
|
+ "http://example.com?x=&</a>.;...;",
|
|
+ )
|
|
+
|
|
def test_brackets(self):
|
|
"""
|
|
#19070 - Check urlize handles brackets properly
|
|
Index: Django-4.2.11/tests/utils_tests/test_html.py
|
|
===================================================================
|
|
--- Django-4.2.11.orig/tests/utils_tests/test_html.py
|
|
+++ Django-4.2.11/tests/utils_tests/test_html.py
|
|
@@ -364,6 +364,7 @@ class TestUtilsHtml(SimpleTestCase):
|
|
"&:" + ";" * 100_000,
|
|
"&.;" * 100_000,
|
|
".;" * 100_000,
|
|
+ "&" + ";:" * 100_000,
|
|
)
|
|
for value in tests:
|
|
with self.subTest(value=value):
|