1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From: Brian May <brian@linuxpenguins.xyz>
Date: Tue, 20 Mar 2018 17:32:39 +1100
Subject: Fix CVE-2018-7536 -- DOS in urlize
This is a security fix.
---
django/utils/html.py | 18 ++++++++++++++++--
tests/utils_tests/test_html.py | 8 ++++++++
2 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/django/utils/html.py b/django/utils/html.py
index 813d6b0..ab8bbf4 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -27,7 +27,6 @@ unencoded_ampersands_re = re.compile(r'&(?!(\w+|#\d+);)')
word_split_re = re.compile(r'(\s+)')
simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE)
simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)$', re.IGNORECASE)
-simple_email_re = re.compile(r'^\S+@\S+\.\S+$')
link_target_attribute_re = re.compile(r'(<a [^>]*?)target=[^\s>]+')
html_gunk_re = re.compile(r'(?:<br clear="all">|<i><\/i>|<b><\/b>|<em><\/em>|<strong><\/strong>|<\/?smallcaps>|<\/?uppercase>)', re.IGNORECASE)
hard_coded_bullets_re = re.compile(r'((?:<p>(?:%s).*?[a-zA-Z].*?</p>\s*)+)' % '|'.join(re.escape(x) for x in DOTS), re.DOTALL)
@@ -255,6 +254,21 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
If autoescape is True, the link text and URLs will be autoescaped.
"""
+ def is_email_simple(value):
+ """Return True if value looks like an email address."""
+ # An @ must be in the middle of the value.
+ if '@' not in value or value.startswith('@') or value.endswith('@'):
+ return False
+ try:
+ p1, p2 = value.split('@')
+ except ValueError:
+ # value contains more than one @.
+ return False
+ # Dot must be in p2 (e.g. example.com)
+ if '.' not in p2 or p2.startswith('.'):
+ return False
+ return True
+
def trim_url(x, limit=trim_url_limit):
if limit is None or len(x) <= limit:
return x
@@ -286,7 +300,7 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
url = smart_urlquote(middle)
elif simple_url_2_re.match(middle):
url = smart_urlquote('http://%s' % middle)
- elif ':' not in middle and simple_email_re.match(middle):
+ elif ':' not in middle and is_email_simple(middle):
local, domain = middle.rsplit('@', 1)
try:
domain = domain.encode('idna').decode('ascii')
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 1e63037..a1b34fa 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -217,3 +217,11 @@ class TestUtilsHtml(TestCase):
self.assertEqual(html.conditional_escape(s),
'<h1>interop</h1>')
self.assertEqual(html.conditional_escape(safestring.mark_safe(s)), s)
+
+ def test_urlize_unchanged_inputs(self):
+ tests = (
+ ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
+ ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
+ )
+ for value in tests:
+ self.assertEqual(html.urlize(value), value)
|
