Skip to content

Commit abf89d7

Browse files
committed
[1.11.x] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
Thanks Florian Apolloner for assisting with the patch.
1 parent 7d7ab26 commit abf89d7

File tree

4 files changed

+51
-12
lines changed

4 files changed

+51
-12
lines changed

Diff for: django/utils/html.py

+21-12
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,7 @@
1717
from .html_parser import HTMLParseError, HTMLParser
1818

1919
# Configuration for urlize() function.
20-
TRAILING_PUNCTUATION_RE = re.compile(
21-
'^' # Beginning of word
22-
'(.*?)' # The URL in word
23-
'([.,:;!]+)' # Allowed non-wrapping, trailing punctuation
24-
'$' # End of word
25-
)
20+
TRAILING_PUNCTUATION_CHARS = '.,:;!'
2621
WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('&lt;', '&gt;'), ('"', '"'), ('\'', '\'')]
2722

2823
# List of possible strings used for bullets in bulleted lists.
@@ -32,7 +27,6 @@
3227
word_split_re = re.compile(r'''([\s<>"']+)''')
3328
simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
3429
simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE)
35-
simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
3630

3731

3832
@keep_lazy(six.text_type, SafeText)
@@ -280,10 +274,10 @@ def trim_punctuation(lead, middle, trail):
280274
trimmed_something = False
281275

282276
# Trim trailing punctuation.
283-
match = TRAILING_PUNCTUATION_RE.match(middle)
284-
if match:
285-
middle = match.group(1)
286-
trail = match.group(2) + trail
277+
stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
278+
if middle != stripped:
279+
trail = middle[len(stripped):] + trail
280+
middle = stripped
287281
trimmed_something = True
288282

289283
# Trim wrapping punctuation.
@@ -300,6 +294,21 @@ def trim_punctuation(lead, middle, trail):
300294
trimmed_something = True
301295
return lead, middle, trail
302296

297+
def is_email_simple(value):
298+
"""Return True if value looks like an email address."""
299+
# An @ must be in the middle of the value.
300+
if '@' not in value or value.startswith('@') or value.endswith('@'):
301+
return False
302+
try:
303+
p1, p2 = value.split('@')
304+
except ValueError:
305+
# value contains more than one @.
306+
return False
307+
# Dot must be in p2 (e.g. example.com)
308+
if '.' not in p2 or p2.startswith('.'):
309+
return False
310+
return True
311+
303312
words = word_split_re.split(force_text(text))
304313
for i, word in enumerate(words):
305314
if '.' in word or '@' in word or ':' in word:
@@ -319,7 +328,7 @@ def trim_punctuation(lead, middle, trail):
319328
elif simple_url_2_re.match(middle):
320329
middle, middle_unescaped, trail = unescape(middle, trail)
321330
url = smart_urlquote('http://%s' % middle_unescaped)
322-
elif ':' not in middle and simple_email_re.match(middle):
331+
elif ':' not in middle and is_email_simple(middle):
323332
local, domain = middle.rsplit('@', 1)
324333
try:
325334
domain = domain.encode('idna').decode('ascii')

Diff for: docs/releases/1.11.11.txt

+11
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,14 @@ Django 1.11.11 release notes
55
*March 6, 2018*
66

77
Django 1.11.11 fixes two security issues in 1.11.10.
8+
9+
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10+
===============================================================================================
11+
12+
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13+
certain inputs due to catastrophic backtracking vulnerabilities in two regular
14+
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
15+
``urlizetrunc`` template filters, which were thus vulnerable.
16+
17+
The problematic regular expressions are replaced with parsing logic that
18+
behaves similarly.

Diff for: docs/releases/1.8.19.txt

+11
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,14 @@ Django 1.8.19 release notes
55
*March 6, 2018*
66

77
Django 1.8.19 fixes two security issues in 1.18.18.
8+
9+
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10+
===============================================================================================
11+
12+
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13+
certain inputs due to a catastrophic backtracking vulnerability in a regular
14+
expression. The ``urlize()`` function is used to implement the ``urlize`` and
15+
``urlizetrunc`` template filters, which were thus vulnerable.
16+
17+
The problematic regular expression is replaced with parsing logic that behaves
18+
similarly.

Diff for: tests/utils_tests/test_html.py

+8
Original file line numberDiff line numberDiff line change
@@ -232,3 +232,11 @@ def test_html_safe_doesnt_define_str(self):
232232
@html.html_safe
233233
class HtmlClass(object):
234234
pass
235+
236+
def test_urlize_unchanged_inputs(self):
237+
tests = (
238+
('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
239+
('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
240+
)
241+
for value in tests:
242+
self.assertEqual(html.urlize(value), value)

0 commit comments

Comments
 (0)