python3-django: Fix CVE-2024-41990

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41990 Upstream-patch: https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-05-07 05:10:20 +00:00 · 2025-01-10 13:17:58 +00:00
parent 46701493ac
commit 4e8fa78778
2 changed files with 70 additions and 0 deletions
@@ -0,0 +1,69 @@
 From d0a82e26a74940bf0c78204933c3bdd6a283eb88 Mon Sep 17 00:00:00 2001
 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 Date: Thu, 18 Jul 2024 13:19:34 +0200
 Subject: [PATCH] [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in
 urlize and urlizetrunc template filters.
 Thanks to MProgrammer for the report.
 CVE: CVE-2024-41990
 Upstream-Status: Backport [https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88]
 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
 ---
 django/utils/html.py           | 18 ++++++++----------
 tests/utils_tests/test_html.py |  2 ++
 2 files changed, 10 insertions(+), 10 deletions(-)
 diff --git a/django/utils/html.py b/django/utils/html.py
 index f1b74ab..84e157d 100644
 --- a/django/utils/html.py
 +++ b/django/utils/html.py
@@ -315,7 +315,11 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
                         trimmed_something = True
                         counts[closing] -= strip
 -            rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
 +            amp = middle.rfind("&")
 +            if amp == -1:
 +                rstripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
 +            else:
 +                rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
             if rstripped != middle:
                 trail = middle[len(rstripped) :] + trail
                 middle = rstripped
@@ -323,15 +327,9 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
             if trailing_punctuation_chars_has_semicolon() and middle.endswith(";"):
                 # Only strip if not part of an HTML entity.
 -                amp = middle.rfind("&")
 -                if amp == -1:
 -                    can_strip = True
 -                else:
 -                    potential_entity = middle[amp:]
 -                    escaped = unescape(potential_entity)
 -                    can_strip = (escaped == potential_entity) or escaped.endswith(";")
 -
 -                if can_strip:
 +                potential_entity = middle[amp:]
 +                escaped = unescape(potential_entity)
 +                if escaped == potential_entity or escaped.endswith(";"):
                     rstripped = middle.rstrip(";")
                     amount_stripped = len(middle) - len(rstripped)
                     if amp > -1 and amount_stripped > 1:
 diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
 index 715c1c6..5abab8d 100644
 --- a/tests/utils_tests/test_html.py
 +++ b/tests/utils_tests/test_html.py
@@ -274,6 +274,8 @@ class TestUtilsHtml(SimpleTestCase):
             "[(" * 100_000 + ":" + ")]" * 100_000,
             "([[" * 100_000 + ":" + "]])" * 100_000,
             "&:" + ";" * 100_000,
 +            "&.;" * 100_000,
 +            ".;" * 100_000,
         )
         for value in tests:
             with self.subTest(value=value):
 --
 2.40.0
@@ -19,6 +19,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2024-41989-0002.patch \
            file://CVE-2024-41989-0003.patch \
            file://CVE-2024-41989-0004.patch \
            file://CVE-2024-41990.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"