1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
From: Brian May <brian@linuxpenguins.xyz>
Date: Thu, 22 Mar 2018 17:12:14 +1100
Subject: Fix CVE-2018-7536 -- DOS in urlize
This is a security fix.
---
django/utils/html.py | 33 +++++++++++++++++++++------------
tests/utils_tests/test_html.py | 9 +++++++++
2 files changed, 30 insertions(+), 12 deletions(-)
diff --git a/django/utils/html.py b/django/utils/html.py
index a5cb56e..5a9f735 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -17,12 +17,7 @@ from django.utils.text import normalize_newlines
from .html_parser import HTMLParseError, HTMLParser
# Configuration for urlize() function.
-TRAILING_PUNCTUATION_RE = re.compile(
- '^' # Beginning of word
- '(.*?)' # The URL in word
- '([.,:;!]+)' # Allowed non-wrapping, trailing punctuation
- '$' # End of word
-)
+TRAILING_PUNCTUATION_CHARS = '.,:;!'
WRAPPING_PUNCTUATION = [('(', ')'), ('<', '>'), ('[', ']'), ('<', '>'), ('"', '"'), ('\'', '\'')]
# List of possible strings used for bullets in bulleted lists.
@@ -32,7 +27,6 @@ unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)')
word_split_re = re.compile(r'''([\s<>"']+)''')
simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)($|/.*)$', re.IGNORECASE)
-simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
link_target_attribute_re = re.compile(r'(<a [^>]*?)target=[^\s>]+')
html_gunk_re = re.compile(
r'(?:<br clear="all">|<i><\/i>|<b><\/b>|<em><\/em>|<strong><\/strong>|'
@@ -286,10 +280,10 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
trimmed_something = False
# Trim trailing punctuation.
- match = TRAILING_PUNCTUATION_RE.match(middle)
- if match:
- middle = match.group(1)
- trail = match.group(2) + trail
+ stripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
+ if middle != stripped:
+ trail = middle[len(stripped):] + trail
+ middle = stripped
trimmed_something = True
# Trim wrapping punctuation.
@@ -306,6 +300,21 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
trimmed_something = True
return lead, middle, trail
+ def is_email_simple(value):
+ """Return True if value looks like an email address."""
+ # An @ must be in the middle of the value.
+ if '@' not in value or value.startswith('@') or value.endswith('@'):
+ return False
+ try:
+ p1, p2 = value.split('@')
+ except ValueError:
+ # value contains more than one @.
+ return False
+ # Dot must be in p2 (e.g. example.com)
+ if '.' not in p2 or p2.startswith('.'):
+ return False
+ return True
+
words = word_split_re.split(force_text(text))
for i, word in enumerate(words):
if '.' in word or '@' in word or ':' in word:
@@ -325,7 +334,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
elif simple_url_2_re.match(middle):
middle, middle_unescaped, trail = unescape(middle, trail)
url = smart_urlquote('http://%s' % middle_unescaped)
- elif ':' not in middle and simple_email_re.match(middle):
+ elif ':' not in middle and is_email_simple(middle):
local, domain = middle.rsplit('@', 1)
try:
domain = domain.encode('idna').decode('ascii')
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 20de851..9f76d48 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -231,3 +231,11 @@ class TestUtilsHtml(SimpleTestCase):
@html.html_safe
class HtmlClass(object):
pass
+
+ def test_urlize_unchanged_inputs(self):
+ tests = (
+ ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
+ ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
+ )
+ for value in tests:
+ self.assertEqual(html.urlize(value), value)
|
