+42
-4
lines changedFilter options
+42
-4
lines changed Original file line number Diff line number Diff line change
@@ -390,7 +390,7 @@ def get_context(self, name, value, attrs):
390 390
context["current_label"] = _("Currently:")
391 391
context["change_label"] = _("Change:")
392 392
context["widget"]["href"] = (
393 -
smart_urlquote(context["widget"]["value"]) if value else ""
393 +
smart_urlquote(context["widget"]["value"]) if url_valid else ""
394 394
)
395 395
context["url_valid"] = url_valid
396 396
return context
@@ -36,6 +36,8 @@
36 36
"spacer",
37 37
}
38 38 39 +
MAX_URL_LENGTH = 2048
40 + 39 41 40 42
@keep_lazy(SafeString)
41 43
def escape(text):
@@ -330,9 +332,9 @@ def handle_word(
330 332
# Make URL we want to point to.
331 333
url = None
332 334
nofollow_attr = ' rel="nofollow"' if nofollow else ""
333 -
if self.simple_url_re.match(middle):
335 +
if len(middle) <= MAX_URL_LENGTH and self.simple_url_re.match(middle):
334 336
url = smart_urlquote(html.unescape(middle))
335 -
elif self.simple_url_2_re.match(middle):
337 +
elif len(middle) <= MAX_URL_LENGTH and self.simple_url_2_re.match(middle):
336 338
url = smart_urlquote("http://%s" % html.unescape(middle))
337 339
elif ":" not in middle and self.is_email_simple(middle):
338 340
local, domain = middle.rsplit("@", 1)
@@ -447,6 +449,10 @@ def is_email_simple(value):
447 449
except ValueError:
448 450
# value contains more than one @.
449 451
return False
452 +
# Max length for domain name labels is 63 characters per RFC 1034.
453 +
# Helps to avoid ReDoS vectors in the domain part.
454 +
if len(p2) > 63:
455 +
return False
450 456
# Dot must be in p2 (e.g. example.com)
451 457
if "." not in p2 or p2.startswith("."):
452 458
return False
@@ -23,6 +23,13 @@ CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html
23 23
denial-of-service attack via very large inputs with a specific sequence of
24 24
characters.
25 25 26 +
CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
27 +
=======================================================================================================================
28 + 29 +
:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
30 +
subject to a potential denial-of-service attack via certain inputs with a very
31 +
large number of Unicode characters.
32 + 26 33
Bugfixes
27 34
========
28 35
@@ -23,6 +23,13 @@ CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html
23 23
denial-of-service attack via very large inputs with a specific sequence of
24 24
characters.
25 25 26 +
CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
27 +
=======================================================================================================================
28 + 29 +
:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
30 +
subject to a potential denial-of-service attack via certain inputs with a very
31 +
large number of Unicode characters.
32 + 26 33
Bugfixes
27 34
========
28 35
@@ -462,7 +462,12 @@ def test_localization(self):
462 462
class AdminURLWidgetTest(SimpleTestCase):
463 463
def test_get_context_validates_url(self):
464 464
w = widgets.AdminURLFieldWidget()
465 -
for invalid in ["", "/not/a/full/url/", 'javascript:alert("Danger XSS!")']:
465 +
for invalid in [
466 +
"",
467 +
"/not/a/full/url/",
468 +
'javascript:alert("Danger XSS!")',
469 +
"http://" + "한.글." * 1_000_000 + "com",
470 +
]:
466 471
with self.subTest(url=invalid):
467 472
self.assertFalse(w.get_context("name", invalid, {})["url_valid"])
468 473
self.assertTrue(w.get_context("name", "http://example.com", {})["url_valid"])
@@ -338,6 +338,15 @@ def test_urlize(self):
338 338
'Search for <a href="http://google.com/?q=">google.com/?q=</a>!',
339 339
),
340 340
("foo@example.com", '<a href="mailto:foo@example.com">foo@example.com</a>'),
341 +
(
342 +
"test@" + "한.글." * 15 + "aaa",
343 +
'<a href="mailto:test@'
344 +
+ "xn--6q8b.xn--bj0b." * 15
345 +
+ 'aaa">'
346 +
+ "test@"
347 +
+ "한.글." * 15
348 +
+ "aaa</a>",
349 +
),
341 350
)
342 351
for value, output in tests:
343 352
with self.subTest(value=value):
@@ -346,6 +355,10 @@ def test_urlize(self):
346 355
def test_urlize_unchanged_inputs(self):
347 356
tests = (
348 357
("a" + "@a" * 50000) + "a", # simple_email_re catastrophic test
358 +
# Unicode domain catastrophic tests.
359 +
"a@" + "한.글." * 1_000_000 + "a",
360 +
"http://" + "한.글." * 1_000_000 + "com",
361 +
"www." + "한.글." * 1_000_000 + "com",
349 362
("a" + "." * 1000000) + "a", # trailing_punctuation catastrophic test
350 363
"foo@",
351 364
"@foo.com",
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4