Skip to content

Commit e157315

Browse files
committed
[2.0.x] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters.
Thanks Florian Apolloner for assisting with the patch.
1 parent 2da0064 commit e157315

File tree

5 files changed

+64
-13
lines changed

5 files changed

+64
-13
lines changed

Diff for: django/utils/html.py

+21-12
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,7 @@
1414
from .html_parser import HTMLParseError, HTMLParser
1515

1616
# Configuration for urlize() function.
17-
TRAILING_PUNCTUATION_RE = re.compile(
18-
'^' # Beginning of word
19-
'(.*?)' # The URL in word
20-
'([.,:;!]+)' # Allowed non-wrapping, trailing punctuation
21-
'$' # End of word
22-
)
17+
TRAILING_PUNCTUATION_CHARS = '.,:;!'
2318
WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('&lt;', '&gt;'), ('"', '"'), ('\'', '\'')]
2419

2520
# List of possible strings used for bullets in bulleted lists.
@@ -29,7 +24,6 @@
2924
word_split_re = re.compile(r'''([\s<>"']+)''')
3025
simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
3126
simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE)
32-
simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
3327

3428

3529
@keep_lazy(str, SafeText)
@@ -276,10 +270,10 @@ def trim_punctuation(lead, middle, trail):
276270
trimmed_something = False
277271

278272
# Trim trailing punctuation.
279-
match = TRAILING_PUNCTUATION_RE.match(middle)
280-
if match:
281-
middle = match.group(1)
282-
trail = match.group(2) + trail
273+
stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
274+
if middle != stripped:
275+
trail = middle[len(stripped):] + trail
276+
middle = stripped
283277
trimmed_something = True
284278

285279
# Trim wrapping punctuation.
@@ -296,6 +290,21 @@ def trim_punctuation(lead, middle, trail):
296290
trimmed_something = True
297291
return lead, middle, trail
298292

293+
def is_email_simple(value):
294+
"""Return True if value looks like an email address."""
295+
# An @ must be in the middle of the value.
296+
if '@' not in value or value.startswith('@') or value.endswith('@'):
297+
return False
298+
try:
299+
p1, p2 = value.split('@')
300+
except ValueError:
301+
# value contains more than one @.
302+
return False
303+
# Dot must be in p2 (e.g. example.com)
304+
if '.' not in p2 or p2.startswith('.'):
305+
return False
306+
return True
307+
299308
words = word_split_re.split(force_text(text))
300309
for i, word in enumerate(words):
301310
if '.' in word or '@' in word or ':' in word:
@@ -315,7 +324,7 @@ def trim_punctuation(lead, middle, trail):
315324
elif simple_url_2_re.match(middle):
316325
middle, middle_unescaped, trail = unescape(middle, trail)
317326
url = smart_urlquote('http://%s' % middle_unescaped)
318-
elif ':' not in middle and simple_email_re.match(middle):
327+
elif ':' not in middle and is_email_simple(middle):
319328
local, domain = middle.rsplit('@', 1)
320329
try:
321330
domain = domain.encode('idna').decode('ascii')

Diff for: docs/releases/1.11.11.txt

+11
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,14 @@ Django 1.11.11 release notes
55
*March 6, 2018*
66

77
Django 1.11.11 fixes two security issues in 1.11.10.
8+
9+
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10+
===============================================================================================
11+
12+
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13+
certain inputs due to catastrophic backtracking vulnerabilities in two regular
14+
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
15+
``urlizetrunc`` template filters, which were thus vulnerable.
16+
17+
The problematic regular expressions are replaced with parsing logic that
18+
behaves similarly.

Diff for: docs/releases/1.8.19.txt

+11
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,14 @@ Django 1.8.19 release notes
55
*March 6, 2018*
66

77
Django 1.8.19 fixes two security issues in 1.18.18.
8+
9+
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
10+
===============================================================================================
11+
12+
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
13+
certain inputs due to a catastrophic backtracking vulnerability in a regular
14+
expression. The ``urlize()`` function is used to implement the ``urlize`` and
15+
``urlizetrunc`` template filters, which were thus vulnerable.
16+
17+
The problematic regular expression is replaced with parsing logic that behaves
18+
similarly.

Diff for: docs/releases/2.0.3.txt

+11
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,17 @@ Django 2.0.3 release notes
77
Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the
88
latest string translations from Transifex are incorporated.
99

10+
CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
11+
===============================================================================================
12+
13+
The ``django.utils.html.urlize()`` function was extremely slow to evaluate
14+
certain inputs due to catastrophic backtracking vulnerabilities in two regular
15+
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
16+
``urlizetrunc`` template filters, which were thus vulnerable.
17+
18+
The problematic regular expressions are replaced with parsing logic that
19+
behaves similarly.
20+
1021
Bugfixes
1122
========
1223

Diff for: tests/utils_tests/test_html.py

+10-1
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
from django.utils.functional import lazystr
66
from django.utils.html import (
77
conditional_escape, escape, escapejs, format_html, html_safe, linebreaks,
8-
smart_urlquote, strip_spaces_between_tags, strip_tags,
8+
smart_urlquote, strip_spaces_between_tags, strip_tags, urlize,
99
)
1010
from django.utils.safestring import mark_safe
1111

@@ -216,3 +216,12 @@ def test_html_safe_doesnt_define_str(self):
216216
@html_safe
217217
class HtmlClass:
218218
pass
219+
220+
def test_urlize_unchanged_inputs(self):
221+
tests = (
222+
('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
223+
('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
224+
)
225+
for value in tests:
226+
with self.subTest(value=value):
227+
self.assertEqual(urlize(value), value)

0 commit comments

Comments
 (0)