+51
-12
lines changedFilter options
+51
-12
lines changed Original file line number Diff line number Diff line change
@@ -17,12 +17,7 @@
17 17
from .html_parser import HTMLParseError, HTMLParser
18 18 19 19
# Configuration for urlize() function.
20 -
TRAILING_PUNCTUATION_RE = re.compile(
21 -
'^' # Beginning of word
22 -
'(.*?)' # The URL in word
23 -
'([.,:;!]+)' # Allowed non-wrapping, trailing punctuation
24 -
'$' # End of word
25 -
)
20 +
TRAILING_PUNCTUATION_CHARS = '.,:;!'
26 21
WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('<', '>'), ('"', '"'), ('\'', '\'')]
27 22 28 23
# List of possible strings used for bullets in bulleted lists.
@@ -32,7 +27,6 @@
32 27
word_split_re = re.compile(r'''([\s<>"']+)''')
33 28
simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
34 29
simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE)
35 -
simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
36 30 37 31 38 32
@keep_lazy(six.text_type, SafeText)
@@ -280,10 +274,10 @@ def trim_punctuation(lead, middle, trail):
280 274
trimmed_something = False
281 275 282 276
# Trim trailing punctuation.
283 -
match = TRAILING_PUNCTUATION_RE.match(middle)
284 -
if match:
285 -
middle = match.group(1)
286 -
trail = match.group(2) + trail
277 +
stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
278 +
if middle != stripped:
279 +
trail = middle[len(stripped):] + trail
280 +
middle = stripped
287 281
trimmed_something = True
288 282 289 283
# Trim wrapping punctuation.
@@ -300,6 +294,21 @@ def trim_punctuation(lead, middle, trail):
300 294
trimmed_something = True
301 295
return lead, middle, trail
302 296 297 +
def is_email_simple(value):
298 +
"""Return True if value looks like an email address."""
299 +
# An @ must be in the middle of the value.
300 +
if '@' not in value or value.startswith('@') or value.endswith('@'):
301 +
return False
302 +
try:
303 +
p1, p2 = value.split('@')
304 +
except ValueError:
305 +
# value contains more than one @.
306 +
return False
307 +
# Dot must be in p2 (e.g. example.com)
308 +
if '.' not in p2 or p2.startswith('.'):
309 +
return False
310 +
return True
311 + 303 312
words = word_split_re.split(force_text(text))
304 313
for i, word in enumerate(words):
305 314
if '.' in word or '@' in word or ':' in word:
@@ -319,7 +328,7 @@ def trim_punctuation(lead, middle, trail):
319 328
elif simple_url_2_re.match(middle):
320 329
middle, middle_unescaped, trail = unescape(middle, trail)
321 330
url = smart_urlquote('http://%s' % middle_unescaped)
322 -
elif ':' not in middle and simple_email_re.match(middle):
331 +
elif ':' not in middle and is_email_simple(middle):
323 332
local, domain = middle.rsplit('@', 1)
324 333
try:
325 334
domain = domain.encode('idna').decode('ascii')
@@ -5,3 +5,14 @@ Django 1.11.11 release notes
5 5
*March 6, 2018*
6 6 7 7
Django 1.11.11 fixes two security issues in 1.11.10.
8 + 9 +
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10 +
===============================================================================================
11 + 12 +
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13 +
certain inputs due to catastrophic backtracking vulnerabilities in two regular
14 +
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
15 +
``urlizetrunc`` template filters, which were thus vulnerable.
16 + 17 +
The problematic regular expressions are replaced with parsing logic that
18 +
behaves similarly.
Original file line number Diff line number Diff line change
@@ -5,3 +5,14 @@ Django 1.8.19 release notes
5 5
*March 6, 2018*
6 6 7 7
Django 1.8.19 fixes two security issues in 1.18.18.
8 + 9 +
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10 +
===============================================================================================
11 + 12 +
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13 +
certain inputs due to a catastrophic backtracking vulnerability in a regular
14 +
expression. The ``urlize()`` function is used to implement the ``urlize`` and
15 +
``urlizetrunc`` template filters, which were thus vulnerable.
16 + 17 +
The problematic regular expression is replaced with parsing logic that behaves
18 +
similarly.
Original file line number Diff line number Diff line change
@@ -232,3 +232,11 @@ def test_html_safe_doesnt_define_str(self):
232 232
@html.html_safe
233 233
class HtmlClass(object):
234 234
pass
235 + 236 +
def test_urlize_unchanged_inputs(self):
237 +
tests = (
238 +
('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
239 +
('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
240 +
)
241 +
for value in tests:
242 +
self.assertEqual(html.urlize(value), value)
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4