Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Newton
python-Django
CVE-2019-14233-prevent-excessive-recursion.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-14233-prevent-excessive-recursion.patch of Package python-Django
commit 7ab4c10c6b122fa535a1187a7fffaf8d84dc4def Author: Florian Apolloner <florian@apolloner.eu> Date: Mon, 15 Jul 2019 12:00:06 +0200 [1.8.x] Fixed CVE-2019-14233 -- Prevented excessive HTMLParser recursion in strip_tags() when handling incomplete HTML entities. Thanks to Guido Vranken for initial report. diff --git a/django/utils/html.py b/django/utils/html.py index 0204fd4983..4cf70e1dcb 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -182,8 +182,8 @@ def strip_tags(value): # is redundant, but helps to reduce number of executions of _strip_once. while '<' in value and '>' in value: new_value = _strip_once(value) - if len(new_value) >= len(value): - # _strip_once was not able to detect more tags or length increased + if len(new_value) >= len(value) or value.count('<') == new_value.count('<'): + # _strip_once wasn't able to detect more tags, or line length increased. # due to http://bugs.python.org/issue20288 # (affects Python 2 < 2.7.7 and Python 3 < 3.3.5) break diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt index bd64941485..168fb9f275 100644 --- a/docs/releases/1.8.19.txt +++ b/docs/releases/1.8.19.txt @@ -42,3 +42,20 @@ filters, which were thus vulnerable. The regular expressions used by ``Truncator`` have been simplified in order to avoid potential backtracking issues. As a consequence, trailing punctuation may now at times be included in the truncated output. + +CVE-2019-14233: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +Due to the behavior of the underlying ``HTMLParser``, +:func:`django.utils.html.strip_tags` would be extremely slow to evaluate +certain inputs containing large sequences of nested incomplete HTML entities. +The ``strip_tags()`` method is used to implement the corresponding +:tfilter:`striptags` template filter, which was thus also vulnerable. + +``strip_tags()`` now avoids recursive calls to ``HTMLParser`` when progress +removing tags, but necessarily incomplete HTML entities, stops being made. + +Remember that absolutely NO guarantee is provided about the results of +``strip_tags()`` being HTML safe. So NEVER mark safe the result of a +``strip_tags()`` call without escaping it first, for example with +:func:`django.utils.html.escape`. diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index b108268c17..5d3f53f191 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -84,6 +84,8 @@ class TestUtilsHtml(SimpleTestCase): # caused infinite loop on Pythons not patched with # http://bugs.python.org/issue20288 ('&gotcha&#;<>', '&gotcha&#;<>'), + ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'), + ('X<<<<br>br>br>br>X', 'XX'), ) for value, output in items: self.check_output(f, value, output)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor