diff --git a/django/utils/html.py b/django/utils/html.py
index a2672d432c..0204fd4983 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -30,7 +30,6 @@ unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)')
word_split_re = re.compile(r'(\s+)')
simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE)
-simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
link_target_attribute_re = re.compile(r'(]*?)target=[^\s>]+')
html_gunk_re = re.compile(
r'(?:
|<\/i>|<\/b>|<\/em>|<\/strong>|'
@@ -304,6 +303,21 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
trail = ''
return text, unescaped, trail
+ def is_email_simple(value):
+ """Return True if value looks like an email address."""
+ # An @ must be in the middle of the value.
+ if '@' not in value or value.startswith('@') or value.endswith('@'):
+ return False
+ try:
+ p1, p2 = value.split('@')
+ except ValueError:
+ # value contains more than one @.
+ return False
+ # Dot must be in p2 (e.g. example.com)
+ if '.' not in p2 or p2.startswith('.'):
+ return False
+ return True
+
words = word_split_re.split(force_text(text))
for i, word in enumerate(words):
if '.' in word or '@' in word or ':' in word:
@@ -332,7 +346,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
elif simple_url_2_re.match(middle):
middle, middle_unescaped, trail = unescape(middle, trail)
url = smart_urlquote('http://%s' % middle_unescaped)
- elif ':' not in middle and simple_email_re.match(middle):
+ elif ':' not in middle and is_email_simple(middle):
local, domain = middle.rsplit('@', 1)
try:
domain = domain.encode('idna').decode('ascii')
diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt
index 9709f2622d..ae509f11c4 100644
--- a/docs/releases/1.8.19.txt
+++ b/docs/releases/1.8.19.txt
@@ -5,3 +5,14 @@ Django 1.8.19 release notes
*March 6, 2018*
Django 1.8.19 fixes two security issues in 1.18.18.
+
+CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
+===============================================================================================
+
+The ``django.utils.html.urlize()`` function was extremely slow to evaluate
+certain inputs due to a catastrophic backtracking vulnerability in a regular
+expression. The ``urlize()`` function is used to implement the ``urlize`` and
+``urlizetrunc`` template filters, which were thus vulnerable.
+
+The problematic regular expression is replaced with parsing logic that behaves
+similarly.
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index bc9874c696..b108268c17 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -248,3 +248,11 @@ class TestUtilsHtml(SimpleTestCase):
@html.html_safe
class HtmlClass(object):
pass
+
+ def test_urlize_unchanged_inputs(self):
+ tests = (
+ ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
+ ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
+ )
+ for value in tests:
+ self.assertEqual(html.urlize(value), value)