+53
-8
lines changedFilter options
+53
-8
lines changed Original file line number Diff line number Diff line change
@@ -18,8 +18,8 @@ def capfirst(x):
18 18 19 19 20 20
# Set up regular expressions
21 -
re_words = re.compile(r'<.*?>|((?:\w[-\w]*|&.*?;)+)', re.S)
22 -
re_chars = re.compile(r'<.*?>|(.)', re.S)
21 +
re_words = re.compile(r'<[^>]+?>|([^<>\s]+)', re.S)
22 +
re_chars = re.compile(r'<[^>]+?>|(.)', re.S)
23 23
re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S)
24 24
re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines
25 25
re_camel_case = re.compile(r'(((?<=[a-z])[A-Z])|([A-Z](?![A-Z]|$)))')
@@ -5,3 +5,17 @@ Django 1.11.23 release notes
5 5
*August 1, 2019*
6 6 7 7
Django 1.11.23 fixes security issues in 1.11.22.
8 + 9 +
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
10 +
================================================================================
11 + 12 +
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
13 +
were passed the ``html=True`` argument, they were extremely slow to evaluate
14 +
certain inputs due to a catastrophic backtracking vulnerability in a regular
15 +
expression. The ``chars()`` and ``words()`` methods are used to implement the
16 +
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
17 +
filters, which were thus vulnerable.
18 + 19 +
The regular expressions used by ``Truncator`` have been simplified in order to
20 +
avoid potential backtracking issues. As a consequence, trailing punctuation may
21 +
now at times be included in the truncated output.
Original file line number Diff line number Diff line change
@@ -5,3 +5,17 @@ Django 2.1.11 release notes
5 5
*August 1, 2019*
6 6 7 7
Django 2.1.11 fixes security issues in 2.1.10.
8 + 9 +
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
10 +
================================================================================
11 + 12 +
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
13 +
were passed the ``html=True`` argument, they were extremely slow to evaluate
14 +
certain inputs due to a catastrophic backtracking vulnerability in a regular
15 +
expression. The ``chars()`` and ``words()`` methods are used to implement the
16 +
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
17 +
filters, which were thus vulnerable.
18 + 19 +
The regular expressions used by ``Truncator`` have been simplified in order to
20 +
avoid potential backtracking issues. As a consequence, trailing punctuation may
21 +
now at times be included in the truncated output.
Original file line number Diff line number Diff line change
@@ -16,13 +16,13 @@ def test_truncate(self):
16 16
def test_truncate2(self):
17 17
self.assertEqual(
18 18
truncatewords_html('<p>one <a href="#">two - three <br>four</a> five</p>', 4),
19 -
'<p>one <a href="#">two - three <br>four ...</a></p>',
19 +
'<p>one <a href="#">two - three ...</a></p>',
20 20
)
21 21 22 22
def test_truncate3(self):
23 23
self.assertEqual(
24 24
truncatewords_html('<p>one <a href="#">two - three <br>four</a> five</p>', 5),
25 -
'<p>one <a href="#">two - three <br>four</a> five</p>',
25 +
'<p>one <a href="#">two - three <br>four ...</a></p>',
26 26
)
27 27 28 28
def test_truncate4(self):
@@ -85,6 +85,17 @@ def test_truncate_chars(self):
85 85
# lazy strings are handled correctly
86 86
self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(12), 'The quick...')
87 87 88 +
def test_truncate_chars_html(self):
89 +
perf_test_values = [
90 +
(('</a' + '\t' * 50000) + '//>', None),
91 +
('&' * 50000, '&' * 7 + '...'),
92 +
('_X<<<<<<<<<<<>', None),
93 +
]
94 +
for value, expected in perf_test_values:
95 +
with self.subTest(value=value):
96 +
truncator = text.Truncator(value)
97 +
self.assertEqual(expected if expected else value, truncator.chars(10, html=True))
98 + 88 99
def test_truncate_words(self):
89 100
truncator = text.Truncator('The quick brown fox jumped over the lazy dog.')
90 101
self.assertEqual('The quick brown fox jumped over the lazy dog.', truncator.words(10))
@@ -134,11 +145,17 @@ def test_truncate_html_words(self):
134 145
truncator = text.Truncator('<i>Buenos días! ¿Cómo está?</i>')
135 146
self.assertEqual('<i>Buenos días! ¿Cómo...</i>', truncator.words(3, '...', html=True))
136 147
truncator = text.Truncator('<p>I <3 python, what about you?</p>')
137 -
self.assertEqual('<p>I <3 python...</p>', truncator.words(3, '...', html=True))
148 +
self.assertEqual('<p>I <3 python,...</p>', truncator.words(3, '...', html=True))
138 149 139 -
re_tag_catastrophic_test = ('</a' + '\t' * 50000) + '//>'
140 -
truncator = text.Truncator(re_tag_catastrophic_test)
141 -
self.assertEqual(re_tag_catastrophic_test, truncator.words(500, html=True))
150 +
perf_test_values = [
151 +
('</a' + '\t' * 50000) + '//>',
152 +
'&' * 50000,
153 +
'_X<<<<<<<<<<<>',
154 +
]
155 +
for value in perf_test_values:
156 +
with self.subTest(value=value):
157 +
truncator = text.Truncator(value)
158 +
self.assertEqual(value, truncator.words(50, html=True))
142 159 143 160
def test_wrap(self):
144 161
digits = '1234 67 9'
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4