[5.0.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.

sarahboyce · sarahboyce · commit 7b7b909579c8 · 2024-08-06T08:51:55.000+02:00
Thanks to MProgrammer for the report.
diff --git a/django/utils/html.py b/django/utils/html.py
@@ -408,23 +408,21 @@ def trim_punctuation(self, word):
                         trimmed_something = True
                         counts[closing] -= strip
 
-            rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)
+            amp = middle.rfind("&")
+            if amp == -1:
+                rstripped = middle.rstrip(self.trailing_punctuation_chars)
+            else:
+                rstripped = middle.rstrip(self.trailing_punctuation_chars_no_semicolon)
             if rstripped != middle:
                 trail = middle[len(rstripped) :] + trail
                 middle = rstripped
                 trimmed_something = True
 
             if self.trailing_punctuation_chars_has_semicolon and middle.endswith(";"):
                 # Only strip if not part of an HTML entity.
-                amp = middle.rfind("&")
-                if amp == -1:
-                    can_strip = True
-                else:
-                    potential_entity = middle[amp:]
-                    escaped = html.unescape(potential_entity)
-                    can_strip = (escaped == potential_entity) or escaped.endswith(";")
-
-                if can_strip:
+                potential_entity = middle[amp:]
+                escaped = html.unescape(potential_entity)
+                if escaped == potential_entity or escaped.endswith(";"):
                     rstripped = middle.rstrip(";")
                     amount_stripped = len(middle) - len(rstripped)
                     if amp > -1 and amount_stripped > 1:
diff --git a/docs/releases/4.2.15.txt b/docs/releases/4.2.15.txt
@@ -16,6 +16,13 @@ consumption.
 
 To avoid this, decimals with more than 200 digits are now returned as is.
 
+CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
+
 Bugfixes
 ========
 
diff --git a/docs/releases/5.0.8.txt b/docs/releases/5.0.8.txt
@@ -16,6 +16,13 @@ consumption.
 
 To avoid this, decimals with more than 200 digits are now returned as is.
 
+CVE-2024-41990: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
+
 Bugfixes
 ========
 
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
@@ -359,6 +359,8 @@ def test_urlize_unchanged_inputs(self):
             "[(" * 100_000 + ":" + ")]" * 100_000,
             "([[" * 100_000 + ":" + "]])" * 100_000,
             "&:" + ";" * 100_000,
+            "&.;" * 100_000,
+            ".;" * 100_000,
         )
         for value in tests:
             with self.subTest(value=value):

Original file line number	Diff line number	Diff line change
`@@ -359,6 +359,8 @@ def test_urlize_unchanged_inputs(self):`
`359`	`359`	`"[(" * 100_000 + ":" + ")]" * 100_000,`
`360`	`360`	`"([[" * 100_000 + ":" + "]])" * 100_000,`
`361`	`361`	`"&:" + ";" * 100_000,`
	`362`	`+ "&.;" * 100_000,`
	`363`	`+ ".;" * 100_000,`
`362`	`364`	`)`
`363`	`365`	`for value in tests:`
`364`	`366`	`with self.subTest(value=value):`