From: Brian May Date: Thu, 22 Mar 2018 17:12:14 +1100 Subject: Fix CVE-2018-7536 -- DOS in urlize This is a security fix. --- django/utils/html.py | 33 +++++++++++++++++++++------------ tests/utils_tests/test_html.py | 9 +++++++++ 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/django/utils/html.py b/django/utils/html.py index a5cb56e..5a9f735 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -17,12 +17,7 @@ from django.utils.text import normalize_newlines from .html_parser import HTMLParseError, HTMLParser # Configuration for urlize() function. -TRAILING_PUNCTUATION_RE = re.compile( - '^' # Beginning of word - '(.*?)' # The URL in word - '([.,:;!]+)' # Allowed non-wrapping, trailing punctuation - '$' # End of word -) +TRAILING_PUNCTUATION_CHARS = '.,:;!' WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('<', '>'), ('"', '"'), ('\'', '\'')] # List of possible strings used for bullets in bulleted lists. @@ -32,7 +27,6 @@ unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)') word_split_re = re.compile(r'''([\s<>"']+)''') simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE) simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE) -simple_email_re = re.compile(r'^\S+@\S+\.\S+$') link_target_attribute_re = re.compile(r'(]*?)target=[^\s>]+') html_gunk_re = re.compile( r'(?:
|<\/i>|<\/b>|<\/em>|<\/strong>|' @@ -286,10 +280,10 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): trimmed_something = False # Trim trailing punctuation. - match = TRAILING_PUNCTUATION_RE.match(middle) - if match: - middle = match.group(1) - trail = match.group(2) + trail + stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS) + if middle != stripped: + trail = middle[len(stripped):] + trail + middle = stripped trimmed_something = True # Trim wrapping punctuation. @@ -306,6 +300,21 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): trimmed_something = True return lead, middle, trail + def is_email_simple(value): + """Return True if value looks like an email address.""" + # An @ must be in the middle of the value. + if '@' not in value or value.startswith('@') or value.endswith('@'): + return False + try: + p1, p2 = value.split('@') + except ValueError: + # value contains more than one @. + return False + # Dot must be in p2 (e.g. example.com) + if '.' not in p2 or p2.startswith('.'): + return False + return True + words = word_split_re.split(force_text(text)) for i, word in enumerate(words): if '.' in word or '@' in word or ':' in word: @@ -325,7 +334,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): elif simple_url_2_re.match(middle): middle, middle_unescaped, trail = unescape(middle, trail) url = smart_urlquote('http://%s' % middle_unescaped) - elif ':' not in middle and simple_email_re.match(middle): + elif ':' not in middle and is_email_simple(middle): local, domain = middle.rsplit('@', 1) try: domain = domain.encode('idna').decode('ascii') diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 20de851..9f76d48 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -231,3 +231,11 @@ class TestUtilsHtml(SimpleTestCase): @html.html_safe class HtmlClass(object): pass + + def test_urlize_unchanged_inputs(self): + tests = ( + ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test + ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test + ) + for value in tests: + self.assertEqual(html.urlize(value), value)