Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
python-Django
CVE-2024-45230.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-45230.patch of Package python-Django
From 65a776dd25b657cc32edafaad98d91aa0b51e641 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Mon, 12 Aug 2024 15:17:57 +0200 Subject: [PATCH 1/2] [4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters. Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. --- django/utils/html.py | 17 ++++++++------ docs/ref/templates/builtins.txt | 11 ++++++++++ docs/releases/4.2.16.txt | 15 +++++++++++++ docs/releases/index.txt | 1 + .../filter_tests/test_urlize.py | 22 +++++++++++++++++++ tests/utils_tests/test_html.py | 1 + 6 files changed, 60 insertions(+), 7 deletions(-) create mode 100644 docs/releases/4.2.16.txt Index: Django-2.0.7/django/utils/html.py =================================================================== --- Django-2.0.7.orig/django/utils/html.py +++ Django-2.0.7/django/utils/html.py @@ -331,14 +331,17 @@ def urlize(text, trim_url_limit=None, no potential_entity = middle[amp:] escaped = html.unescape(potential_entity) if escaped == potential_entity or escaped.endswith(";"): - rstripped = middle.rstrip(";") - amount_stripped = len(middle) - len(rstripped) - if amp > -1 and amount_stripped > 1: - # Leave a trailing semicolon as might be an entity. - trail = middle[len(rstripped) + 1 :] + trail - middle = rstripped + ";" + rstripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS) + trail_start = len(rstripped) + amount_trailing_semicolons = len(middle) - len(middle.rstrip(";")) + if amp > -1 and amount_trailing_semicolons > 1: + # Leave up to most recent semicolon as might be an entity. + recent_semicolon = middle[trail_start:].index(";") + middle_semicolon_index = recent_semicolon + trail_start + 1 + trail = middle[middle_semicolon_index:] + trail + middle = rstripped + middle[trail_start:middle_semicolon_index] else: - trail = middle[len(rstripped) :] + trail + trail = middle[trail_start:] + trail middle = rstripped trimmed_something = True return lead, middle, trail Index: Django-2.0.7/docs/ref/templates/builtins.txt =================================================================== --- Django-2.0.7.orig/docs/ref/templates/builtins.txt +++ Django-2.0.7/docs/ref/templates/builtins.txt @@ -2414,6 +2414,17 @@ Django's built-in :tfilter:`escape` filt If ``urlize`` is applied to text that already contains HTML markup, things won't work as expected. Apply this filter only to plain text. +.. warning:: + + Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which + can become severe when applied to user controlled values such as content + stored in a :class:`~django.db.models.TextField`. You can use + :tfilter:`truncatechars` to add a limit to such inputs: + + .. code-block:: html+django + + {{ value|truncatechars:500|urlize }} + .. templatefilter:: urlizetrunc ``urlizetrunc`` Index: Django-2.0.7/docs/releases/4.2.16.txt =================================================================== --- /dev/null +++ Django-2.0.7/docs/releases/4.2.16.txt @@ -0,0 +1,15 @@ +=========================== +Django 4.2.16 release notes +=========================== + +*September 3, 2024* + +Django 4.2.16 fixes one security issue with severity "moderate" and one +security issues with severity "low" in 4.2.15. + +CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` +=========================================================================================== + +:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential +denial-of-service attack via very large inputs with a specific sequence of +characters. Index: Django-2.0.7/tests/template_tests/filter_tests/test_urlize.py =================================================================== --- Django-2.0.7.orig/tests/template_tests/filter_tests/test_urlize.py +++ Django-2.0.7/tests/template_tests/filter_tests/test_urlize.py @@ -260,6 +260,28 @@ class FunctionTests(SimpleTestCase): 'A test <a href="http://testing.com/example" rel="nofollow">http://testing.com/example</a>.,:;)"!' ) + def test_trailing_semicolon(self): + self.assertEqual( + urlize("http://example.com?x=&", autoescape=False), + '<a href="http://example.com?x=" rel="nofollow">' + "http://example.com?x=&</a>", + ) + self.assertEqual( + urlize("http://example.com?x=&;", autoescape=False), + '<a href="http://example.com?x=" rel="nofollow">' + "http://example.com?x=&</a>;", + ) + self.assertEqual( + urlize("http://example.com?x=&;;", autoescape=False), + '<a href="http://example.com?x=" rel="nofollow">' + "http://example.com?x=&</a>;;", + ) + self.assertEqual( + urlize("http://example.com?x=&.;...;", autoescape=False), + '<a href="http://example.com?x=" rel="nofollow">' + "http://example.com?x=&</a>.;...;", + ) + def test_brackets(self): """ #19070 - Check urlize handles brackets properly Index: Django-2.0.7/tests/utils_tests/test_html.py =================================================================== --- Django-2.0.7.orig/tests/utils_tests/test_html.py +++ Django-2.0.7/tests/utils_tests/test_html.py @@ -239,6 +239,7 @@ class TestUtilsHtml(SimpleTestCase): "&:" + ";" * 100_000, "&.;" * 100_000, ".;" * 100_000, + "&" + ";:" * 100_000, ) for value in tests: with self.subTest(value=value):
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
