RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/813de2672bd7361e9a453ab62cd6e52f96b6525b below:

[5.0.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and… · django/django@813de26 · GitHub

File tree Expand file treeCollapse file tree 6 files changed

+56

-9

lines changed

Filter options

- template_tests/filter_tests

Expand file treeCollapse file tree 6 files changed

+56

-9

lines changed Original file line number Diff line number Diff line change


 @@ -425,14 +425,17 @@ def trim_punctuation(self, word):

425 425


 potential_entity = middle[amp:]

426 426


 escaped = html.unescape(potential_entity)

427 427


 if escaped == potential_entity or escaped.endswith(";"):

428

-
 rstripped = middle.rstrip(";")

429

-
 amount_stripped = len(middle) - len(rstripped)

430

-
 if amp > -1 and amount_stripped > 1:

431

-
 # Leave a trailing semicolon as might be an entity.

432

-
 trail = middle[len(rstripped) + 1 :] + trail

433

-
 middle = rstripped + ";"

428

+
 rstripped = middle.rstrip(self.trailing_punctuation_chars)

429

+
 trail_start = len(rstripped)

430

+
 amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))

431

+
 if amp > -1 and amount_trailing_semicolons > 1:

432

+
 # Leave up to most recent semicolon as might be an entity.

433

+
 recent_semicolon = middle[trail_start:].index(";")

434

+
 middle_semicolon_index = recent_semicolon + trail_start + 1

435

+
 trail = middle[middle_semicolon_index:] + trail

436

+
 middle = rstripped + middle[trail_start:middle_semicolon_index]

434 437


 else:

435

-
 trail = middle[len(rstripped) :] + trail

438

+
 trail = middle[trail_start:] + trail

436 439


 middle = rstripped

437 440


 trimmed_something = True

438 441 Original file line number Diff line number Diff line change


 @@ -2855,6 +2855,17 @@ Django's built-in :tfilter:`escape` filter. The default value for

2855 2855


 email addresses that contain single quotes (``'``), things won't work as

2856 2856


 expected. Apply this filter only to plain text.

2857 2857 2858

+
 .. warning::

2859 + 2860

+
 Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which

2861

+
 can become severe when applied to user controlled values such as content

2862

+
 stored in a :class:`~django.db.models.TextField`. You can use

2863

+
 :tfilter:`truncatechars` to add a limit to such inputs:

2864 + 2865

+
 .. code-block:: html+django

2866 + 2867

+
 {{ value|truncatechars:500|urlize }}

2868 + 2858 2869


 .. templatefilter:: urlizetrunc

2859 2870 2860 2871


 ``urlizetrunc``

Original file line number Diff line number Diff line change


 @@ -7,4 +7,9 @@ Django 4.2.16 release notes

7 7


 Django 4.2.16 fixes one security issue with severity "moderate" and one

8 8


 security issue with severity "low" in 4.2.15.

9 9 10

-
 ...

10

+
 CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

11

+
 ===========================================================================================

12 + 13

+
 :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

14

+
 denial-of-service attack via very large inputs with a specific sequence of

15

+
 characters.

Original file line number Diff line number Diff line change


 @@ -7,4 +7,9 @@ Django 5.0.9 release notes

7 7


 Django 5.0.9 fixes one security issue with severity "moderate" and one security

8 8


 issue with severity "low" in 5.0.8.

9 9 10

-
 ...

10

+
 CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

11

+
 ===========================================================================================

12 + 13

+
 :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

14

+
 denial-of-service attack via very large inputs with a specific sequence of

15

+
 characters.

Original file line number Diff line number Diff line change


 @@ -305,6 +305,28 @@ def test_trailing_multiple_punctuation(self):

305 305


 "http://testing.com/example</a>.,:;)&quot;!",

306 306

307 307 308

+
 def test_trailing_semicolon(self):

309

+
 self.assertEqual(

310

+
 urlize("http://example.com?x=&amp;", autoescape=False),

311

+
 '<a href="http://example.com?x=" rel="nofollow">'

312

+
 "http://example.com?x=&amp;</a>",

313

+
 )

314

+
 self.assertEqual(

315

+
 urlize("http://example.com?x=&amp;;", autoescape=False),

316

+
 '<a href="http://example.com?x=" rel="nofollow">'

317

+
 "http://example.com?x=&amp;</a>;",

318

+
 )

319

+
 self.assertEqual(

320

+
 urlize("http://example.com?x=&amp;;;", autoescape=False),

321

+
 '<a href="http://example.com?x=" rel="nofollow">'

322

+
 "http://example.com?x=&amp;</a>;;",

323

+
 )

324

+
 self.assertEqual(

325

+
 urlize("http://example.com?x=&amp.;...;", autoescape=False),

326

+
 '<a href="http://example.com?x=" rel="nofollow">'

327

+
 "http://example.com?x=&amp</a>.;...;",

328

+
 )

329 + 308 330


 def test_brackets(self):

309 331

"""

310 332


  #19070 - Check urlize handles brackets properly

Original file line number Diff line number Diff line change


 @@ -374,6 +374,7 @@ def test_urlize_unchanged_inputs(self):

374 374


 "&:" + ";" * 100_000,

375 375


 "&.;" * 100_000,

376 376


 ".;" * 100_000,

377

+
 "&" + ";:" * 100_000,

377 378

378 379


 for value in tests:

379 380


 with self.subTest(value=value):

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4