Fixed CVE-2018-7537 -- Fixed catastrophic backtracking in django.utils.text.Truncator.
Thanks James Davis for suggesting the fix.
This commit is contained in:
parent
8618271caa
commit
97b7dd59bb
|
@ -20,7 +20,7 @@ def capfirst(x):
|
||||||
# Set up regular expressions
|
# Set up regular expressions
|
||||||
re_words = re.compile(r'<.*?>|((?:\w[-\w]*|&.*?;)+)', re.S)
|
re_words = re.compile(r'<.*?>|((?:\w[-\w]*|&.*?;)+)', re.S)
|
||||||
re_chars = re.compile(r'<.*?>|(.)', re.S)
|
re_chars = re.compile(r'<.*?>|(.)', re.S)
|
||||||
re_tag = re.compile(r'<(/)?([^ ]+?)(?:(\s*/)| .*?)?>', re.S)
|
re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S)
|
||||||
re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines
|
re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines
|
||||||
re_camel_case = re.compile(r'(((?<=[a-z])[A-Z])|([A-Z](?![A-Z]|$)))')
|
re_camel_case = re.compile(r'(((?<=[a-z])[A-Z])|([A-Z](?![A-Z]|$)))')
|
||||||
|
|
||||||
|
|
|
@ -16,3 +16,15 @@ expressions. The ``urlize()`` function is used to implement the ``urlize`` and
|
||||||
|
|
||||||
The problematic regular expressions are replaced with parsing logic that
|
The problematic regular expressions are replaced with parsing logic that
|
||||||
behaves similarly.
|
behaves similarly.
|
||||||
|
|
||||||
|
CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
|
||||||
|
==================================================================================================================
|
||||||
|
|
||||||
|
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
|
||||||
|
passed the ``html=True`` argument, they were extremely slow to evaluate certain
|
||||||
|
inputs due to a catastrophic backtracking vulnerability in a regular
|
||||||
|
expression. The ``chars()`` and ``words()`` methods are used to implement the
|
||||||
|
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
|
||||||
|
thus vulnerable.
|
||||||
|
|
||||||
|
The backtracking problem in the regular expression is fixed.
|
||||||
|
|
|
@ -16,3 +16,15 @@ expression. The ``urlize()`` function is used to implement the ``urlize`` and
|
||||||
|
|
||||||
The problematic regular expression is replaced with parsing logic that behaves
|
The problematic regular expression is replaced with parsing logic that behaves
|
||||||
similarly.
|
similarly.
|
||||||
|
|
||||||
|
CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
|
||||||
|
==================================================================================================================
|
||||||
|
|
||||||
|
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
|
||||||
|
passed the ``html=True`` argument, they were extremely slow to evaluate certain
|
||||||
|
inputs due to a catastrophic backtracking vulnerability in a regular
|
||||||
|
expression. The ``chars()`` and ``words()`` methods are used to implement the
|
||||||
|
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
|
||||||
|
thus vulnerable.
|
||||||
|
|
||||||
|
The backtracking problem in the regular expression is fixed.
|
||||||
|
|
|
@ -18,6 +18,18 @@ expressions. The ``urlize()`` function is used to implement the ``urlize`` and
|
||||||
The problematic regular expressions are replaced with parsing logic that
|
The problematic regular expressions are replaced with parsing logic that
|
||||||
behaves similarly.
|
behaves similarly.
|
||||||
|
|
||||||
|
CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
|
||||||
|
==================================================================================================================
|
||||||
|
|
||||||
|
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
|
||||||
|
passed the ``html=True`` argument, they were extremely slow to evaluate certain
|
||||||
|
inputs due to a catastrophic backtracking vulnerability in a regular
|
||||||
|
expression. The ``chars()`` and ``words()`` methods are used to implement the
|
||||||
|
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
|
||||||
|
thus vulnerable.
|
||||||
|
|
||||||
|
The backtracking problem in the regular expression is fixed.
|
||||||
|
|
||||||
Bugfixes
|
Bugfixes
|
||||||
========
|
========
|
||||||
|
|
||||||
|
|
|
@ -136,6 +136,10 @@ class TestUtilsText(SimpleTestCase):
|
||||||
truncator = text.Truncator('<p>I <3 python, what about you?</p>')
|
truncator = text.Truncator('<p>I <3 python, what about you?</p>')
|
||||||
self.assertEqual('<p>I <3 python...</p>', truncator.words(3, '...', html=True))
|
self.assertEqual('<p>I <3 python...</p>', truncator.words(3, '...', html=True))
|
||||||
|
|
||||||
|
re_tag_catastrophic_test = ('</a' + '\t' * 50000) + '//>'
|
||||||
|
truncator = text.Truncator(re_tag_catastrophic_test)
|
||||||
|
self.assertEqual(re_tag_catastrophic_test, truncator.words(500, html=True))
|
||||||
|
|
||||||
def test_wrap(self):
|
def test_wrap(self):
|
||||||
digits = '1234 67 9'
|
digits = '1234 67 9'
|
||||||
self.assertEqual(text.wrap(digits, 100), '1234 67 9')
|
self.assertEqual(text.wrap(digits, 100), '1234 67 9')
|
||||||
|
|
Loading…
Reference in New Issue