From 320dd27412e791e119d088281913d8f649617a13 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Mon, 12 Aug 2024 15:17:57 +0200
Subject: [PATCH] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and
urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
---
django/utils/html.py | 17 ++++++++++-------
docs/ref/templates/builtins.txt | 11 +++++++++++
docs/releases/4.2.16.txt | 7 ++++++-
docs/releases/5.0.9.txt | 7 ++++++-
docs/releases/5.1.1.txt | 7 +++++++
.../template_tests/filter_tests/test_urlize.py | 5 +++++
tests/utils_tests/test_html.py | 1 +
7 files changed, 46 insertions(+), 9 deletions(-)
diff --git a/django/utils/html.py b/django/utils/html.py
index 576eabc6839..b34af183d03 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -434,14 +434,17 @@ class Urlizer:
potential_entity = middle[amp:]
escaped = html.unescape(potential_entity)
if escaped == potential_entity or escaped.endswith(";"):
- rstripped = middle.rstrip(";")
- amount_stripped = len(middle) - len(rstripped)
- if amp > -1 and amount_stripped > 1:
- # Leave a trailing semicolon as might be an entity.
- trail = middle[len(rstripped) + 1 :] + trail
- middle = rstripped + ";"
+ rstripped = middle.rstrip(self.trailing_punctuation_chars)
+ trail_start = len(rstripped)
+ amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
+ if amp > -1 and amount_trailing_semicolons > 1:
+ # Leave up to most recent semicolon as might be an entity.
+ recent_semicolon = middle[trail_start:].index(";")
+ middle_semicolon_index = recent_semicolon + trail_start + 1
+ trail = middle[middle_semicolon_index:] + trail
+ middle = rstripped + middle[trail_start:middle_semicolon_index]
else:
- trail = middle[len(rstripped) :] + trail
+ trail = middle[trail_start:] + trail
middle = rstripped
trimmed_something = True
diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index a97fd9e9e0c..d34742f210b 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2922,6 +2922,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
email addresses that contain single quotes (``'``), things won't work as
expected. Apply this filter only to plain text.
+.. warning::
+
+ Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
+ can become severe when applied to user controlled values such as content
+ stored in a :class:`~django.db.models.TextField`. You can use
+ :tfilter:`truncatechars` to add a limit to such inputs:
+
+ .. code-block:: html+django
+
+ {{ value|truncatechars:500|urlize }}
+
.. templatefilter:: urlizetrunc
``urlizetrunc``
diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
index 98530043860..2a84186867c 100644
--- a/docs/releases/4.2.16.txt
+++ b/docs/releases/4.2.16.txt
@@ -7,4 +7,9 @@ Django 4.2.16 release notes
Django 4.2.16 fixes one security issue with severity "moderate" and one
security issue with severity "low" in 4.2.15.
-...
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt
index eb3dbe832d8..50e94ea3f2e 100644
--- a/docs/releases/5.0.9.txt
+++ b/docs/releases/5.0.9.txt
@@ -7,4 +7,9 @@ Django 5.0.9 release notes
Django 5.0.9 fixes one security issue with severity "moderate" and one security
issue with severity "low" in 5.0.8.
-...
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
diff --git a/docs/releases/5.1.1.txt b/docs/releases/5.1.1.txt
index 743f2753a8e..dd249291004 100644
--- a/docs/releases/5.1.1.txt
+++ b/docs/releases/5.1.1.txt
@@ -7,6 +7,13 @@ Django 5.1.1 release notes
Django 5.1.1 fixes one security issue with severity "moderate", one security
issue with severity "low", and several bugs in 5.1.
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
+
Bugfixes
========
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index c19103859eb..546bd6c7d61 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -321,6 +321,11 @@ class FunctionTests(SimpleTestCase):
''
"http://example.com?x=&;;",
)
+ self.assertEqual(
+ urlize("http://example.com?x=&.;...;", autoescape=False),
+ ''
+ "http://example.com?x=&.;...;",
+ )
def test_brackets(self):
"""
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index befa73a555f..b47919df995 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -396,6 +396,7 @@ class TestUtilsHtml(SimpleTestCase):
"&:" + ";" * 100_000,
"&.;" * 100_000,
".;" * 100_000,
+ "&" + ";:" * 100_000,
)
for value in tests:
with self.subTest(value=value):