8000 [1.11.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking… · django/django@42a66e9 · GitHub
[go: up one dir, main page]
Skip to content

Commit 42a66e9

Browse files
apollo13carltongibson
apollo13
authored and
carltongibson
committed
[1.11.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.
Thanks to Guido Vranken for initial report.
1 parent 693046e commit 42a66e9

File tree

4 files changed

+37
-8
lines changed

4 files changed

+37
-8
lines changed

django/utils/text.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,8 @@ def capfirst(x):
2727

2828

2929
# Set up regular expressions
30-
re_words = re.compile(r'<.*?>|((?:\w[-\w]*|&.*?;)+)', re.U | re.S)
31-
re_chars = re.compile(r'<.*?>|(.)', re.U | re.S)
30+
re_words = re.compile(r'<[^>]+?>|([^<>\s]+)', re.S)
31+
re_chars = re.compile(r'<[^>]+?>|(.)', re.S)
3232
re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S)
3333
re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines
3434
re_camel_case = re.compile(r'(((?<=[a-z])[A-Z])|([A-Z](?![A-Z]|$)))')

docs/releases/1.11.23.txt

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,17 @@ Django 1.11.23 release notes
55
*August 1, 2019*
66

77
Django 1.11.23 fixes security issues in 1.11.22.
8+
9+
CVE-2019-14232: Denial-of-service possibility in ``django.utils.text.Truncator``
10+
================================================================================
11+
12+
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods
13+
were passed the ``html=True`` argument, they were extremely slow to evaluate
14+
certain inputs due to a catastrophic backtracking vulnerability in a regular
15+
expression. The ``chars()`` and ``words()`` methods are used to implement the
16+
:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
17+
filters, which were thus vulnerable.
18+
19+
The regular expressions used by ``Truncator`` have been simplified in order to
20+
avoid potential backtracking issues. As a consequence, trailing punctuation may
21+
now at times be included in the truncated output.

tests/template_tests/filter_tests/test_truncatewords_html.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,13 +19,13 @@ def test_truncate(self):
1919
def test_truncate2(self):
2020
self.assertEqual(
2121
truncatewords_html('<p>one <a href="#">two - three <br>four</a> five</p>', 4),
22-
'<p>one <a href="#">two - three <br>four ...</a></p>',
22+
'<p>one <a href="#">two - three ...</a></p>',
2323
)
2424

2525
def test_truncate3(self):
2626
self.assertEqual(
2727
truncatewords_html('<p>one <a href="#">two - three <br>four</a> five</p>', 5),
28-
'<p>one <a href="#">two - three <br>four</a> five</p>',
28+
'<p>one <a href="#">two - three <br>four ...</a></p>',
2929
)
3030

3131
def test_truncate4(self):

tests/utils_tests/test_text.py

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,16 @@ def test_truncate_chars(self):
8888
# lazy strings are handled correctly
8989
self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(12), 'The quick...')
9090

91+
def test_truncate_chars_html(self):
92+
perf_test_values = [
93+
(('</a' + '\t' * 50000) + '//>', None),
94+
('&' * 50000, '&' * 7 + '...'),
95+
('_X<<<<<<<<<<<>', None),
96+
]
97+
for value, expected in perf_test_values:
98+
truncator = text.Truncator(value)
99+
self.assertEqual(expected if expected else value, truncator.chars(10, html=True))
100+
91101
def test_truncate_words(self):
92102
truncator = text.Truncator('The quick brown fox jumped over the lazy dog.')
93103
self.assertEqual('The quick brown fox jumped over the lazy dog.', truncator.words(10))
@@ -137,11 +147,16 @@ def test_truncate_html_words(self):
137147
truncator = text.Truncator('<i>Buenos d&iacute;as! &#x00bf;C&oacute;mo est&aacute;?</i>')
138148
self.assertEqual('<i>Buenos d&iacute;as! &#x00bf;C&oacute;mo...</i>', truncator.words(3, '...', html=True))
139149
truncator = text.Truncator('<p>I &lt;3 python, what about you?</p>')
140-
self.assertEqual('<p>I &lt;3 python...</p>', truncator.words(3, '...', html=True))
150+
self.assertEqual('<p>I &lt;3 python,...</p>', truncator.words(3, '...', html=True))
141151

142-
re_tag_catastrophic_test = ('</a' + '\t' * 50000) + '//>'
143-
truncator = text.Truncator(re_tag_catastrophic_test)
144-
self.assertEqual(re_tag_catastrophic_test, truncator.words(500, html=True))
152+
perf_test_values = [
153+
('</a' + '\t' * 50000) + '//>',
154+
'&' * 50000,
155+
'_X<<<<<<<<<<<>',
156+
]
157+
for value in perf_test_values:
158+
truncator = text.Truncator(value)
159+
self.assertEqual(value, truncator.words(50, html=True))
145160

146161
def test_wrap(self):
147162
digits = '1234 67 9'

0 commit comments

Comments
 (0)
0