RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88 below:

[4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and… · django/django@d0a82e2 · GitHub

File tree Expand file treeCollapse file tree 3 files changed

+17

-10

lines changed

Filter options

Expand file treeCollapse file tree 3 files changed

+17

-10

lines changed Original file line number Diff line number Diff line change


 @@ -378,23 +378,21 @@ def trim_punctuation(self, word):

378 378


 trimmed_something = True

379 379


 counts[closing] -= strip

380 380 381

-
 rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)

381

+
 amp = middle.rfind("&")

382

+
 if amp == -1:

383

+
 rstripped = middle.rstrip(self.trailing_punctuation_chars)

384

+
 else:

385

+
 rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)

382 386


 if rstripped != middle:

383 387


 trail = middle[len(rstripped) :] + trail

384 388


 middle = rstripped

385 389


 trimmed_something = True

386 390 387 391


 if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"):

388 392


 # Only strip if not part of an HTML entity.

389

-
 amp = middle.rfind("&")

390

-
 if amp == -1:

391

-
 can_strip = True

392

-
 else:

393

-
 potential_entity = middle[amp:]

394

-
 escaped = html.unescape(potential_entity)

395

-
 can_strip = (escaped == potential_entity) or escaped.endswith(";")

396 - 397

-
 if can_strip:

393

+
 potential_entity = middle[amp:]

394

+
 escaped = html.unescape(potential_entity)

395

+
 if escaped == potential_entity or escaped.endswith(";"):

398 396


 rstripped = middle.rstrip(";")

399 397


 amount_stripped = len(middle) - len(rstripped)

400 398


 if amp > -1 and amount_stripped > 1:

Original file line number Diff line number Diff line change


 @@ -16,6 +16,13 @@ consumption.

16 16 17 17


 To avoid this, decimals with more than 200 digits are now returned as is.

18 18 19

+
 CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``

20

+
 ===========================================================================================

21 + 22

+
 :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential

23

+
 denial-of-service attack via very large inputs with a specific sequence of

24

+
 characters.

25 + 19 26


 Bugfixes

20 27


 ========

21 28 Original file line number Diff line number Diff line change


 @@ -349,6 +349,8 @@ def test_urlize_unchanged_inputs(self):

349 349


 "[(" * 100_000 + ":" + ")]" * 100_000,

350 350


 "([[" * 100_000 + ":" + "]])" * 100_000,

351 351


 "&:" + ";" * 100_000,

352

+
 "&.;" * 100_000,

353

+
 ".;" * 100_000,

352 354

353 355


 for value in tests:

354 356


 with self.subTest(value=value):

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4