Skip to content

Commit

Permalink
[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and…
Browse files Browse the repository at this point in the history
… urlizetrunc template filters.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
  • Loading branch information
sarahboyce authored and nessita committed Sep 3, 2024
1 parent 05495d4 commit 813de26
Show file tree
Hide file tree
Showing 6 changed files with 56 additions and 9 deletions.
17 changes: 10 additions & 7 deletions django/utils/html.py
Original file line number Diff line number Diff line change
Expand Up @@ -425,14 +425,17 @@ def trim_punctuation(self, word):
potential_entity = middle[amp:]
escaped = html.unescape(potential_entity)
if escaped == potential_entity or escaped.endswith(";"):
rstripped = middle.rstrip(";")
amount_stripped = len(middle) - len(rstripped)
if amp > -1 and amount_stripped > 1:
# Leave a trailing semicolon as might be an entity.
trail = middle[len(rstripped) + 1 :] + trail
middle = rstripped + ";"
rstripped = middle.rstrip(self.trailing_punctuation_chars)
trail_start = len(rstripped)
amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
if amp > -1 and amount_trailing_semicolons > 1:
# Leave up to most recent semicolon as might be an entity.
recent_semicolon = middle[trail_start:].index(";")
middle_semicolon_index = recent_semicolon + trail_start + 1
trail = middle[middle_semicolon_index:] + trail
middle = rstripped + middle[trail_start:middle_semicolon_index]
else:
trail = middle[len(rstripped) :] + trail
trail = middle[trail_start:] + trail
middle = rstripped
trimmed_something = True

Expand Down
11 changes: 11 additions & 0 deletions docs/ref/templates/builtins.txt
Original file line number Diff line number Diff line change
Expand Up @@ -2855,6 +2855,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text.

.. warning::

Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
can become severe when applied to user controlled values such as content
stored in a :class:`~django.db.models.TextField`. You can use
:tfilter:`truncatechars` to add a limit to such inputs:

.. code-block:: html+django

{{ value|truncatechars:500|urlize }}

.. templatefilter:: urlizetrunc

``urlizetrunc``
Expand Down
7 changes: 6 additions & 1 deletion docs/releases/4.2.16.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,9 @@ Django 4.2.16 release notes
Django 4.2.16 fixes one security issue with severity "moderate" and one
security issue with severity "low" in 4.2.15.

...
CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
7 changes: 6 additions & 1 deletion docs/releases/5.0.9.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,9 @@ Django 5.0.9 release notes
Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8.

...
CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
===========================================================================================

:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
denial-of-service attack via very large inputs with a specific sequence of
characters.
22 changes: 22 additions & 0 deletions tests/template_tests/filter_tests/test_urlize.py
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,28 @@ def test_trailing_multiple_punctuation(self):
"http://testing.com/example</a>.,:;)&quot;!",
)

def test_trailing_semicolon(self):
self.assertEqual(
urlize("http://example.com?x=&amp;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>",
)
self.assertEqual(
urlize("http://example.com?x=&amp;;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>;",
)
self.assertEqual(
urlize("http://example.com?x=&amp;;;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp;</a>;;",
)
self.assertEqual(
urlize("http://example.com?x=&amp.;...;", autoescape=False),
'<a href="http://example.com?x=" rel="nofollow">'
"http://example.com?x=&amp</a>.;...;",
)

def test_brackets(self):
"""
#19070 - Check urlize handles brackets properly
Expand Down
1 change: 1 addition & 0 deletions tests/utils_tests/test_html.py
Original file line number Diff line number Diff line change
Expand Up @@ -374,6 +374,7 @@ def test_urlize_unchanged_inputs(self):
"&:" + ";" * 100_000,
"&.;" * 100_000,
".;" * 100_000,
"&" + ";:" * 100_000,
)
for value in tests:
with self.subTest(value=value):
Expand Down

0 comments on commit 813de26

Please sign in to comment.