RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/7b7b909579c8311c140c89b8a9431bf537febf93 below:

[5.0.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and… · django/django@7b7b909 · GitHub

File tree Expand file treeCollapse file tree 4 files changed

+24

-10

lines changed

Filter options

Expand file treeCollapse file tree 4 files changed

+24

-10

lines changed Original file line number Diff line number Diff line change


 @@ -408,23 +408,21 @@ def trim_punctuation(self, word):

408 408


 trimmed_something = True

409 409


 counts[closing] -= strip

410 410 411

-
 rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)

411

+
 amp = middle.rfind("&")

412

+
 if amp == -1:

413

+
 rstripped = middle.rstrip(self.trailing_punctuation_chars)

414

+
 else:

415

+
 rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)

412 416


 if rstripped != middle:

413 417


 trail = middle[len(rstripped) :] + trail

414 418


 middle = rstripped

415 419


 trimmed_something = True

416 420 417 421


 if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"):

418 422


 # Only strip if not part of an HTML entity.

419

-
 amp = middle.rfind("&")

420

-
 if amp == -1:

421

-
 can_strip = True

422

-
 else:

423

-
 potential_entity = middle[amp:]

424

-
 escaped = html.unescape(potential_entity)

425

-
 can_strip = (escaped == potential_entity) or escaped.endswith(";")

426 - 427

-
 if can_strip:

423

+
 potential_entity = middle[amp:]

424

+
 escaped = html.unescape(potential_entity)

425

+
 if escaped == potential_entity or escaped.endswith(";"):

428 426


 rstripped = middle.rstrip(";")

429 427


 amount_stripped = len(middle) - len(rstripped)

430 428


 if amp > -1 and amount_stripped > 1:

Original file line number Diff line number Diff line change


 @@ -16,6 +16,13 @@ consumption.

16 16 17 17


 To avoid this, decimals with more than 200 digits are now returned as is.

18 18 19

+
 CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

20

+
 ===========================================================================================

21 + 22

+
 :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

23

+
 denial-of-service attack via very large inputs with a specific sequence of

24

+
 characters.

25 + 19 26


 Bugfixes

20 27


 ========

21 28 Original file line number Diff line number Diff line change


 @@ -16,6 +16,13 @@ consumption.

16 16 17 17


 To avoid this, decimals with more than 200 digits are now returned as is.

18 18 19

+
 CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

20

+
 ===========================================================================================

21 + 22

+
 :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

23

+
 denial-of-service attack via very large inputs with a specific sequence of

24

+
 characters.

25 + 19 26


 Bugfixes

20 27


 ========

21 28 Original file line number Diff line number Diff line change


 @@ -359,6 +359,8 @@ def test_urlize_unchanged_inputs(self):

359 359


 "[(" * 100_000 + ":" + ")]" * 100_000,

360 360


 "([[" * 100_000 + ":" + "]])" * 100_000,

361 361


 "&:" + ";" * 100_000,

362

+
 "&.;" * 100_000,

363

+
 ".;" * 100_000,

362 364

363 365


 for value in tests:

364 366


 with self.subTest(value=value):

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4