From: Brian May Date: Tue, 20 Mar 2018 17:32:39 +1100 Subject: Fix CVE-2018-7536 -- DOS in urlize This is a security fix. --- django/utils/html.py | 18 ++++++++++++++++-- tests/utils_tests/test_html.py | 8 ++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/django/utils/html.py b/django/utils/html.py index 813d6b0..ab8bbf4 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -27,7 +27,6 @@ unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)') word_split_re = re.compile(r'(\s+)') simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE) simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)$', re.IGNORECASE) -simple_email_re = re.compile(r'^\S+@\S+\.\S+$') link_target_attribute_re = re.compile(r'(]*?)target=[^\s>]+') html_gunk_re = re.compile(r'(?:
|<\/i>|<\/b>|<\/em>|<\/strong>|<\/?smallcaps>|<\/?uppercase>)', re.IGNORECASE) hard_coded_bullets_re = re.compile(r'((?:

(?:%s).*?[a-zA-Z].*?

\s*)+)' % '|'.join(re.escape(x) for x in DOTS), re.DOTALL) @@ -255,6 +254,21 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): If autoescape is True, the link text and URLs will be autoescaped. """ + def is_email_simple(value): + """Return True if value looks like an email address.""" + # An @ must be in the middle of the value. + if '@' not in value or value.startswith('@') or value.endswith('@'): + return False + try: + p1, p2 = value.split('@') + except ValueError: + # value contains more than one @. + return False + # Dot must be in p2 (e.g. example.com) + if '.' not in p2 or p2.startswith('.'): + return False + return True + def trim_url(x, limit=trim_url_limit): if limit is None or len(x) <= limit: return x @@ -286,7 +300,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): url = smart_urlquote(middle) elif simple_url_2_re.match(middle): url = smart_urlquote('http://%s' % middle) - elif ':' not in middle and simple_email_re.match(middle): + elif ':' not in middle and is_email_simple(middle): local, domain = middle.rsplit('@', 1) try: domain = domain.encode('idna').decode('ascii') diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 1e63037..a1b34fa 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -217,3 +217,11 @@ class TestUtilsHtml(TestCase): self.assertEqual(html.conditional_escape(s), '<h1>interop</h1>') self.assertEqual(html.conditional_escape(safestring.mark_safe(s)), s) + + def test_urlize_unchanged_inputs(self): + tests = ( + ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test + ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test + ) + for value in tests: + self.assertEqual(html.urlize(value), value)