From e157315da3ae7005fa0683ffc9751dbeca7306c8 Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Sat, 24 Feb 2018 11:30:11 -0500
Subject: [PATCH] [2.0.x] Fixed CVE-2018-7536 -- Fixed catastrophic
 backtracking in urlize and urlizetrunc template filters.

Thanks Florian Apolloner for assisting with the patch.
---
 django/utils/html.py           | 33 +++++++++++++++++++++------------
 docs/releases/1.11.11.txt      | 11 +++++++++++
 docs/releases/1.8.19.txt       | 11 +++++++++++
 docs/releases/2.0.3.txt        | 11 +++++++++++
 tests/utils_tests/test_html.py | 11 ++++++++++-
 5 files changed, 64 insertions(+), 13 deletions(-)

diff --git a/django/utils/html.py b/django/utils/html.py
index 9f4f58c7a1c..1ef0b39cdc0 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -14,12 +14,7 @@ from django.utils.text import normalize_newlines
 from .html_parser import HTMLParseError, HTMLParser
 
 # Configuration for urlize() function.
-TRAILING_PUNCTUATION_RE = re.compile(
-    '^'           # Beginning of word
-    '(.*?)'       # The URL in word
-    '([.,:;!]+)'  # Allowed non-wrapping, trailing punctuation
-    '$'           # End of word
-)
+TRAILING_PUNCTUATION_CHARS = '.,:;!'
 WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('&lt;', '&gt;'), ('"', '"'), ('\'', '\'')]
 
 # List of possible strings used for bullets in bulleted lists.
@@ -29,7 +24,6 @@ unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)')
 word_split_re = re.compile(r'''([\s<>"']+)''')
 simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
 simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE)
-simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
 
 
 @keep_lazy(str, SafeText)
@@ -276,10 +270,10 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
             trimmed_something = False
 
             # Trim trailing punctuation.
-            match = TRAILING_PUNCTUATION_RE.match(middle)
-            if match:
-                middle = match.group(1)
-                trail = match.group(2) + trail
+            stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
+            if middle != stripped:
+                trail = middle[len(stripped):] + trail
+                middle = stripped
                 trimmed_something = True
 
             # Trim wrapping punctuation.
@@ -296,6 +290,21 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
                     trimmed_something = True
         return lead, middle, trail
 
+    def is_email_simple(value):
+        """Return True if value looks like an email address."""
+        # An @ must be in the middle of the value.
+        if '@' not in value or value.startswith('@') or value.endswith('@'):
+            return False
+        try:
+            p1, p2 = value.split('@')
+        except ValueError:
+            # value contains more than one @.
+            return False
+        # Dot must be in p2 (e.g. example.com)
+        if '.' not in p2 or p2.startswith('.'):
+            return False
+        return True
+
     words = word_split_re.split(force_text(text))
     for i, word in enumerate(words):
         if '.' in word or '@' in word or ':' in word:
@@ -315,7 +324,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
             elif simple_url_2_re.match(middle):
                 middle, middle_unescaped, trail = unescape(middle, trail)
                 url = smart_urlquote('http://%s' % middle_unescaped)
-            elif ':' not in middle and simple_email_re.match(middle):
+            elif ':' not in middle and is_email_simple(middle):
                 local, domain = middle.rsplit('@', 1)
                 try:
                     domain = domain.encode('idna').decode('ascii')
diff --git a/docs/releases/1.11.11.txt b/docs/releases/1.11.11.txt
index c344f3e7b54..696465fd47f 100644
--- a/docs/releases/1.11.11.txt
+++ b/docs/releases/1.11.11.txt
@@ -5,3 +5,14 @@ Django 1.11.11 release notes
 *March 6, 2018*
 
 Django 1.11.11 fixes two security issues in 1.11.10.
+
+CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
+===============================================================================================
+
+The ``django.utils.html.urlize()`` function was extremely slow to evaluate
+certain inputs due to catastrophic backtracking vulnerabilities in two regular
+expressions. The ``urlize()`` function is used to implement the ``urlize`` and
+``urlizetrunc`` template filters, which were thus vulnerable.
+
+The problematic regular expressions are replaced with parsing logic that
+behaves similarly.
diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt
index 9709f2622dd..ae509f11c46 100644
--- a/docs/releases/1.8.19.txt
+++ b/docs/releases/1.8.19.txt
@@ -5,3 +5,14 @@ Django 1.8.19 release notes
 *March 6, 2018*
 
 Django 1.8.19 fixes two security issues in 1.18.18.
+
+CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
+===============================================================================================
+
+The ``django.utils.html.urlize()`` function was extremely slow to evaluate
+certain inputs due to a catastrophic backtracking vulnerability in a regular
+expression. The ``urlize()`` function is used to implement the ``urlize`` and
+``urlizetrunc`` template filters, which were thus vulnerable.
+
+The problematic regular expression is replaced with parsing logic that behaves
+similarly.
diff --git a/docs/releases/2.0.3.txt b/docs/releases/2.0.3.txt
index b4d0ed0c236..a4c01302d12 100644
--- a/docs/releases/2.0.3.txt
+++ b/docs/releases/2.0.3.txt
@@ -7,6 +7,17 @@ Django 2.0.3 release notes
 Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the
 latest string translations from Transifex are incorporated.
 
+CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
+===============================================================================================
+
+The ``django.utils.html.urlize()`` function was extremely slow to evaluate
+certain inputs due to catastrophic backtracking vulnerabilities in two regular
+expressions. The ``urlize()`` function is used to implement the ``urlize`` and
+``urlizetrunc`` template filters, which were thus vulnerable.
+
+The problematic regular expressions are replaced with parsing logic that
+behaves similarly.
+
 Bugfixes
 ========
 
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 08b31bc55a8..077729b0697 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -5,7 +5,7 @@ from django.test import SimpleTestCase
 from django.utils.functional import lazystr
 from django.utils.html import (
     conditional_escape, escape, escapejs, format_html, html_safe, linebreaks,
-    smart_urlquote, strip_spaces_between_tags, strip_tags,
+    smart_urlquote, strip_spaces_between_tags, strip_tags, urlize,
 )
 from django.utils.safestring import mark_safe
 
@@ -216,3 +216,12 @@ class TestUtilsHtml(SimpleTestCase):
             @html_safe
             class HtmlClass:
                 pass
+
+    def test_urlize_unchanged_inputs(self):
+        tests = (
+            ('a' + '@a' * 50000) + 'a',  # simple_email_re catastrophic test
+            ('a' + '.' * 1000000) + 'a',  # trailing_punctuation catastrophic test
+        )
+        for value in tests:
+            with self.subTest(value=value):
+                self.assertEqual(urlize(value), value)