+64
-13
lines changedFilter options
+64
-13
lines changed Original file line number Diff line number Diff line change
@@ -14,12 +14,7 @@
14 14
from .html_parser import HTMLParseError, HTMLParser
15 15 16 16
# Configuration for urlize() function.
17 -
TRAILING_PUNCTUATION_RE = re.compile(
18 -
'^' # Beginning of word
19 -
'(.*?)' # The URL in word
20 -
'([.,:;!]+)' # Allowed non-wrapping, trailing punctuation
21 -
'$' # End of word
22 -
)
17 +
TRAILING_PUNCTUATION_CHARS = '.,:;!'
23 18
WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('<', '>'), ('"', '"'), ('\'', '\'')]
24 19 25 20
# List of possible strings used for bullets in bulleted lists.
@@ -29,7 +24,6 @@
29 24
word_split_re = re.compile(r'''([\s<>"']+)''')
30 25
simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
31 26
simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE)
32 -
simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
33 27 34 28 35 29
@keep_lazy(str, SafeText)
@@ -276,10 +270,10 @@ def trim_punctuation(lead, middle, trail):
276 270
trimmed_something = False
277 271 278 272
# Trim trailing punctuation.
279 -
match = TRAILING_PUNCTUATION_RE.match(middle)
280 -
if match:
281 -
middle = match.group(1)
282 -
trail = match.group(2) + trail
273 +
stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
274 +
if middle != stripped:
275 +
trail = middle[len(stripped):] + trail
276 +
middle = stripped
283 277
trimmed_something = True
284 278 285 279
# Trim wrapping punctuation.
@@ -296,6 +290,21 @@ def trim_punctuation(lead, middle, trail):
296 290
trimmed_something = True
297 291
return lead, middle, trail
298 292 293 +
def is_email_simple(value):
294 +
"""Return True if value looks like an email address."""
295 +
# An @ must be in the middle of the value.
296 +
if '@' not in value or value.startswith('@') or value.endswith('@'):
297 +
return False
298 +
try:
299 +
p1, p2 = value.split('@')
300 +
except ValueError:
301 +
# value contains more than one @.
302 +
return False
303 +
# Dot must be in p2 (e.g. example.com)
304 +
if '.' not in p2 or p2.startswith('.'):
305 +
return False
306 +
return True
307 + 299 308
words = word_split_re.split(force_text(text))
300 309
for i, word in enumerate(words):
301 310
if '.' in word or '@' in word or ':' in word:
@@ -315,7 +324,7 @@ def trim_punctuation(lead, middle, trail):
315 324
elif simple_url_2_re.match(middle):
316 325
middle, middle_unescaped, trail = unescape(middle, trail)
317 326
url = smart_urlquote('http://%s' % middle_unescaped)
318 -
elif ':' not in middle and simple_email_re.match(middle):
327 +
elif ':' not in middle and is_email_simple(middle):
319 328
local, domain = middle.rsplit('@', 1)
320 329
try:
321 330
domain = domain.encode('idna').decode('ascii')
@@ -5,3 +5,14 @@ Django 1.11.11 release notes
5 5
*March 6, 2018*
6 6 7 7
Django 1.11.11 fixes two security issues in 1.11.10.
8 + 9 +
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10 +
===============================================================================================
11 + 12 +
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13 +
certain inputs due to catastrophic backtracking vulnerabilities in two regular
14 +
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
15 +
``urlizetrunc`` template filters, which were thus vulnerable.
16 + 17 +
The problematic regular expressions are replaced with parsing logic that
18 +
behaves similarly.
Original file line number Diff line number Diff line change
@@ -5,3 +5,14 @@ Django 1.8.19 release notes
5 5
*March 6, 2018*
6 6 7 7
Django 1.8.19 fixes two security issues in 1.18.18.
8 + 9 +
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10 +
===============================================================================================
11 + 12 +
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13 +
certain inputs due to a catastrophic backtracking vulnerability in a regular
14 +
expression. The ``urlize()`` function is used to implement the ``urlize`` and
15 +
``urlizetrunc`` template filters, which were thus vulnerable.
16 + 17 +
The problematic regular expression is replaced with parsing logic that behaves
18 +
similarly.
Original file line number Diff line number Diff line change
@@ -7,6 +7,17 @@ Django 2.0.3 release notes
7 7
Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the
8 8
latest string translations from Transifex are incorporated.
9 9 10 +
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
11 +
===============================================================================================
12 + 13 +
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
14 +
certain inputs due to catastrophic backtracking vulnerabilities in two regular
15 +
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
16 +
``urlizetrunc`` template filters, which were thus vulnerable.
17 + 18 +
The problematic regular expressions are replaced with parsing logic that
19 +
behaves similarly.
20 + 10 21
Bugfixes
11 22
========
12 23
@@ -5,7 +5,7 @@
5 5
from django.utils.functional import lazystr
6 6
from django.utils.html import (
7 7
conditional_escape, escape, escapejs, format_html, html_safe, linebreaks,
8 -
smart_urlquote, strip_spaces_between_tags, strip_tags,
8 +
smart_urlquote, strip_spaces_between_tags, strip_tags, urlize,
9 9
)
10 10
from django.utils.safestring import mark_safe
11 11
@@ -216,3 +216,12 @@ def test_html_safe_doesnt_define_str(self):
216 216
@html_safe
217 217
class HtmlClass:
218 218
pass
219 + 220 +
def test_urlize_unchanged_inputs(self):
221 +
tests = (
222 +
('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
223 +
('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
224 +
)
225 +
for value in tests:
226 +
with self.subTest(value=value):
227 +
self.assertEqual(urlize(value), value)
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4