From 8618271caa0b09daba39ff3b46567d33ae1e1d3a Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Sat, 24 Feb 2018 11:30:11 -0500 Subject: [PATCH] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch. --- django/utils/html.py | 33 +++++++++++++++++++++------------ docs/releases/1.11.11.txt | 11 +++++++++++ docs/releases/1.8.19.txt | 11 +++++++++++ docs/releases/2.0.3.txt | 11 +++++++++++ tests/utils_tests/test_html.py | 9 +++++++++ 5 files changed, 63 insertions(+), 12 deletions(-) diff --git a/django/utils/html.py b/django/utils/html.py index ed105b2869..c5035e3b23 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -13,12 +13,7 @@ from django.utils.safestring import SafeData, SafeText, mark_safe from django.utils.text import normalize_newlines # Configuration for urlize() function. -TRAILING_PUNCTUATION_RE = re.compile( - '^' # Beginning of word - '(.*?)' # The URL in word - '([.,:;!]+)' # Allowed non-wrapping, trailing punctuation - '$' # End of word -) +TRAILING_PUNCTUATION_CHARS = '.,:;!' WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('<', '>'), ('"', '"'), ('\'', '\'')] # List of possible strings used for bullets in bulleted lists. @@ -28,7 +23,6 @@ unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)') word_split_re = re.compile(r'''([\s<>"']+)''') simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE) simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE) -simple_email_re = re.compile(r'^\S+@\S+\.\S+$') _html_escapes = { ord('&'): '&', @@ -293,10 +287,10 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): trimmed_something = False # Trim trailing punctuation. - match = TRAILING_PUNCTUATION_RE.match(middle) - if match: - middle = match.group(1) - trail = match.group(2) + trail + stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS) + if middle != stripped: + trail = middle[len(stripped):] + trail + middle = stripped trimmed_something = True # Trim wrapping punctuation. @@ -313,6 +307,21 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): trimmed_something = True return lead, middle, trail + def is_email_simple(value): + """Return True if value looks like an email address.""" + # An @ must be in the middle of the value. + if '@' not in value or value.startswith('@') or value.endswith('@'): + return False + try: + p1, p2 = value.split('@') + except ValueError: + # value contains more than one @. + return False + # Dot must be in p2 (e.g. example.com) + if '.' not in p2 or p2.startswith('.'): + return False + return True + words = word_split_re.split(str(text)) for i, word in enumerate(words): if '.' in word or '@' in word or ':' in word: @@ -332,7 +341,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): elif simple_url_2_re.match(middle): middle, middle_unescaped, trail = unescape(middle, trail) url = smart_urlquote('http://%s' % middle_unescaped) - elif ':' not in middle and simple_email_re.match(middle): + elif ':' not in middle and is_email_simple(middle): local, domain = middle.rsplit('@', 1) try: domain = domain.encode('idna').decode('ascii') diff --git a/docs/releases/1.11.11.txt b/docs/releases/1.11.11.txt index c344f3e7b5..696465fd47 100644 --- a/docs/releases/1.11.11.txt +++ b/docs/releases/1.11.11.txt @@ -5,3 +5,14 @@ Django 1.11.11 release notes *March 6, 2018* Django 1.11.11 fixes two security issues in 1.11.10. + +CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters +=============================================================================================== + +The ``django.utils.html.urlize()`` function was extremely slow to evaluate +certain inputs due to catastrophic backtracking vulnerabilities in two regular +expressions. The ``urlize()`` function is used to implement the ``urlize`` and +``urlizetrunc`` template filters, which were thus vulnerable. + +The problematic regular expressions are replaced with parsing logic that +behaves similarly. diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt index 9709f2622d..ae509f11c4 100644 --- a/docs/releases/1.8.19.txt +++ b/docs/releases/1.8.19.txt @@ -5,3 +5,14 @@ Django 1.8.19 release notes *March 6, 2018* Django 1.8.19 fixes two security issues in 1.18.18. + +CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters +=============================================================================================== + +The ``django.utils.html.urlize()`` function was extremely slow to evaluate +certain inputs due to a catastrophic backtracking vulnerability in a regular +expression. The ``urlize()`` function is used to implement the ``urlize`` and +``urlizetrunc`` template filters, which were thus vulnerable. + +The problematic regular expression is replaced with parsing logic that behaves +similarly. diff --git a/docs/releases/2.0.3.txt b/docs/releases/2.0.3.txt index b4d0ed0c23..a4c01302d1 100644 --- a/docs/releases/2.0.3.txt +++ b/docs/releases/2.0.3.txt @@ -7,6 +7,17 @@ Django 2.0.3 release notes Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the latest string translations from Transifex are incorporated. +CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters +=============================================================================================== + +The ``django.utils.html.urlize()`` function was extremely slow to evaluate +certain inputs due to catastrophic backtracking vulnerabilities in two regular +expressions. The ``urlize()`` function is used to implement the ``urlize`` and +``urlizetrunc`` template filters, which were thus vulnerable. + +The problematic regular expressions are replaced with parsing logic that +behaves similarly. + Bugfixes ======== diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 4f0cc8d459..cce29c3fcd 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -253,3 +253,12 @@ class TestUtilsHtml(SimpleTestCase): for value, output in tests: with self.subTest(value=value): self.assertEqual(urlize(value), output) + + def test_urlize_unchanged_inputs(self): + tests = ( + ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test + ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test + ) + for value in tests: + with self.subTest(value=value): + self.assertEqual(urlize(value), value)