master

分支 (1)

标签 (1)

管理

管理

master

ocs-2309

python-django
/
python-django-5.0.8-CVE-2024-45230.patch

From 022ab0a75c76ab2ea31dfcc5f2cf5501e378d397 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Mon, 12 Aug 2024 15:17:57 +0200
Subject: [PATCH] [5.1.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in
 urlize and urlizetrunc template filters.

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
---
 django/utils/html.py                          | 17 ++++++++------
 docs/ref/templates/builtins.txt               | 11 +++++++++
 docs/releases/4.2.16.txt                      | 14 +++++++++++
 docs/releases/5.0.9.txt                       | 14 +++++++++++
 docs/releases/5.1.1.txt                       | 13 +++++++++++
 .../filter_tests/test_urlize.py               | 23 +++++++++++++++++++
 tests/utils_tests/test_html.py                |  1 +
 7 files changed, 86 insertions(+), 7 deletions(-)
 create mode 100644 docs/releases/4.2.16.txt
 create mode 100644 docs/releases/5.0.9.txt
 create mode 100644 docs/releases/5.1.1.txt

diff --git a/django/utils/html.py b/django/utils/html.py
index 154c820..0719347 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -427,14 +427,17 @@ class Urlizer:
                 potential_entity = middle[amp:]
                 escaped = html.unescape(potential_entity)
                 if escaped == potential_entity or escaped.endswith(";"):
-                    rstripped = middle.rstrip(";")
-                    amount_stripped = len(middle) - len(rstripped)
-                    if amp > -1 and amount_stripped > 1:
-                        # Leave a trailing semicolon as might be an entity.
-                        trail = middle[len(rstripped) + 1 :] + trail
-                        middle = rstripped + ";"
+                    rstripped = middle.rstrip(self.trailing_punctuation_chars)
+                    trail_start = len(rstripped)
+                    amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
+                    if amp > -1 and amount_trailing_semicolons > 1:
+                        # Leave up to most recent semicolon as might be an entity.
+                        recent_semicolon = middle[trail_start:].index(";")
+                        middle_semicolon_index = recent_semicolon + trail_start + 1
+                        trail = middle[middle_semicolon_index:] + trail
+                        middle = rstripped + middle[trail_start:middle_semicolon_index]
                     else:
-                        trail = middle[len(rstripped) :] + trail
+                        trail = middle[trail_start:] + trail
                         middle = rstripped
                     trimmed_something = True

diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
index 3e2d638..86841b3 100644
--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
@@ -2932,6 +2932,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
     email addresses that contain single quotes (``'``), things won't work as
     expected. Apply this filter only to plain text.

+.. warning::
+
+    Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
+    can become severe when applied to user controlled values such as content
+    stored in a :class:`~django.db.models.TextField`. You can use
+    :tfilter:`truncatechars` to add a limit to such inputs:
+
+    .. code-block:: html+django
+
+        {{ value|truncatechars:500|urlize }}
+
 .. templatefilter:: urlizetrunc

 ``urlizetrunc``
diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
new file mode 100644
index 0000000..b624d5c
--- /dev/null
+++ b/docs/releases/4.2.16.txt
@@ -0,0 +1,14 @@
+===========================
+Django 4.2.16 release notes
+===========================
+*September 3, 2024*
+Django 4.2.16 fixes one security issue with severity "moderate" and one
+security issue with severity "low" in 4.2.15.
+
+...
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
diff --git a/docs/releases/5.0.9.txt b/docs/releases/5.0.9.txt
new file mode 100644
index 0000000..3b372df
--- /dev/null
+++ b/docs/releases/5.0.9.txt
@@ -0,0 +1,14 @@
+===========================
+Django 5.0.9 release notes
+===========================
+*September 3, 2024*
+Django 5.0.9 fixes one security issue with severity "moderate" and one security
+issue with severity "low" in 5.0.8.
+
+...
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
diff --git a/docs/releases/5.1.1.txt b/docs/releases/5.1.1.txt
new file mode 100644
index 0000000..6a2827c
--- /dev/null
+++ b/docs/releases/5.1.1.txt
@@ -0,0 +1,13 @@
+==========================
+Django 5.1.1 release notes
+==========================
+*September 3, 2024*
+Django 5.1.1 fixes one security issue with severity "moderate", one security
+issue with severity "low", and several bugs in 5.1.
+
+CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
+===========================================================================================
+
+:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+denial-of-service attack via very large inputs with a specific sequence of
+characters.
diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
index 8f84e62..14908cb 100644
--- a/tests/template_tests/filter_tests/test_urlize.py
+++ b/tests/template_tests/filter_tests/test_urlize.py
@@ -305,6 +305,29 @@ class FunctionTests(SimpleTestCase):
             "http://testing.com/example</a>.,:;)&quot;!",
         )

+    def test_trailing_semicolon(self):
+        self.assertEqual(
+            urlize("http://example.com?x=&amp;", autoescape=False),
+            '<a href="http://example.com?x=" rel="nofollow">'
+            "http://example.com?x=&amp;</a>",
+        )
+        self.assertEqual(
+            urlize("http://example.com?x=&amp;;", autoescape=False),
+            '<a href="http://example.com?x=" rel="nofollow">'
+            "http://example.com?x=&amp;</a>;",
+        )
+        self.assertEqual(
+            urlize("http://example.com?x=&amp;;;", autoescape=False),
+            '<a href="http://example.com?x=" rel="nofollow">'
+            "http://example.com?x=&amp;</a>;;",
+        )
+
+        self.assertEqual(
+            urlize("http://example.com?x=&amp.;...;", autoescape=False),
+            '<a href="http://example.com?x=" rel="nofollow">'
+            "http://example.com?x=&amp</a>.;...;",
+        )
+
     def test_brackets(self):
         """
         #19070 - Check urlize handles brackets properly
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 82dbd58..035585e 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -374,6 +374,7 @@ class TestUtilsHtml(SimpleTestCase):
             "&:" + ";" * 100_000,
             "&.;" * 100_000,
             ".;" * 100_000,
+            "&" + ";:" * 100_000,
         )
         for value in tests:
             with self.subTest(value=value):
--
2.43.0