Django/django
11
0
Fork 0
Code Pull Requests Projects Releases Activity

[1.8.x] Fixed CVE-2018-7537 -- Fixed catastrophic backtracking in django.utils.text.Truncator.

Browse Source 
Thanks James Davis for suggesting the fix.
This commit is contained in:
Tim Graham 2018-02-24 16:22:43 -05:00
parent 1ca63a66ef
commit d17974a287
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
django/utils/text.py
View File

@ -27,7 +27,7 @@ capfirst = allow_lazy(capfirst, six.text_type)
# Set up regular expressions # Set up regular expressions
re_words = re.compile(r'<.*?>|((?:\w[-\w]*|&.*?;)+)', re.U | re.S) re_words = re.compile(r'<.*?>|((?:\w[-\w]*|&.*?;)+)', re.U | re.S)
re_chars = re.compile(r'<.*?>|(.)', re.U | re.S) re_chars = re.compile(r'<.*?>|(.)', re.U | re.S)
re_tag = re.compile(r'<(/)?([^ ]+?)(?:(\s*/)| .*?)?>', re.S) re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S)
re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines
re_camel_case = re.compile(r'(((?<=[a-z])[A-Z])|([A-Z](?![A-Z]|$)))') re_camel_case = re.compile(r'(((?<=[a-z])[A-Z])|([A-Z](?![A-Z]|$)))')

12
docs/releases/1.8.19.txt
View File

@ -16,3 +16,15 @@ expression. The ``urlize()`` function is used to implement the ``urlize`` and
The problematic regular expression is replaced with parsing logic that behaves The problematic regular expression is replaced with parsing logic that behaves
similarly. similarly.
CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
==================================================================================================================
If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
passed the ``html=True`` argument, they were extremely slow to evaluate certain
inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
thus vulnerable.
The backtracking problem in the regular expression is fixed.

4
tests/utils_tests/test_text.py
View File

@ -144,6 +144,10 @@ class TestUtilsText(SimpleTestCase):
self.assertEqual('<p>I &lt;3 python...</p>', self.assertEqual('<p>I &lt;3 python...</p>',
truncator.words(3, '...', html=True)) truncator.words(3, '...', html=True))
re_tag_catastrophic_test = ('</a' + '\t' * 50000) + '//>'
truncator = text.Truncator(re_tag_catastrophic_test)
self.assertEqual(re_tag_catastrophic_test, truncator.words(500, html=True))
def test_wrap(self): def test_wrap(self):
digits = '1234 67 9' digits = '1234 67 9'
self.assertEqual(text.wrap(digits, 100), '1234 67 9') self.assertEqual(text.wrap(digits, 100), '1234 67 9')