File CVE-2023-43665.patch of Package python-Django.34811
Index: Django-2.0.7/django/utils/text.py
===================================================================
--- Django-2.0.7.orig/django/utils/text.py
+++ Django-2.0.7/django/utils/text.py
@@ -59,7 +59,14 @@ def wrap(text, width):
class Truncator(SimpleLazyObject):
"""
An object used to truncate text, either by characters or words.
+
+ When truncating HTML text (either chars or words), input will be limited to
+ at most `MAX_LENGTH_HTML` characters.
"""
+
+ # 5 million characters are approximately 4000 text pages or 3 web pages.
+ MAX_LENGTH_HTML = 5_000_000
+
def __init__(self, text):
super().__init__(lambda: str(text))
@@ -157,6 +164,11 @@ class Truncator(SimpleLazyObject):
if words and length <= 0:
return ''
+ size_limited = False
+ if len(text) > self.MAX_LENGTH_HTML:
+ text = text[: self.MAX_LENGTH_HTML]
+ size_limited = True
+
html4_singlets = (
'br', 'col', 'link', 'base', 'img',
'param', 'area', 'hr', 'input'
@@ -206,10 +218,14 @@ class Truncator(SimpleLazyObject):
# Add it to the start of the open tags list
open_tags.insert(0, tagname)
+ truncate_text = self.add_truncation_text("", truncate)
+
if current_len <= length:
+ if size_limited and truncate_text:
+ text += truncate_text
return text
+
out = text[:end_text_pos]
- truncate_text = self.add_truncation_text('', truncate)
if truncate_text:
out += truncate_text
# Close any tags still open
Index: Django-2.0.7/tests/utils_tests/test_text.py
===================================================================
--- Django-2.0.7.orig/tests/utils_tests/test_text.py
+++ Django-2.0.7/tests/utils_tests/test_text.py
@@ -1,4 +1,5 @@
import json
+from unittest.mock import patch
from django.test import SimpleTestCase
from django.utils import text
@@ -85,6 +86,23 @@ class TestUtilsText(SimpleTestCase):
# lazy strings are handled correctly
self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(12), 'The quick...')
+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
+ def test_truncate_chars_html_size_limit(self):
+ max_len = text.Truncator.MAX_LENGTH_HTML
+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+ valid_html = "<p>Joel is a slug</p>" # 14 chars
+ perf_test_values = [
+ ("</a" + "\t" * (max_len - 6) + "//>", None),
+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 4 + "..."),
+ ("&" * bigger_len, "&" * 7 + "..."),
+ ("_X<<<<<<<<<<<>", None),
+ (valid_html * bigger_len, "<p>Joel is...</p>"), # 10 chars
+ ]
+ for value, expected in perf_test_values:
+ with self.subTest(value=value):
+ truncator = text.Truncator(value)
+ self.assertEqual(expected if expected else value, truncator.chars(10, html=True))
+
def test_truncate_words(self):
truncator = text.Truncator('The quick brown fox jumped over the lazy dog.')
self.assertEqual('The quick brown fox jumped over the lazy dog.', truncator.words(10))
@@ -94,6 +112,26 @@ class TestUtilsText(SimpleTestCase):
truncator = text.Truncator(lazystr('The quick brown fox jumped over the lazy dog.'))
self.assertEqual('The quick brown fox...', truncator.words(4))
+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
+ def test_truncate_words_html_size_limit(self):
+ max_len = text.Truncator.MAX_LENGTH_HTML
+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+ valid_html = "<p>Joel is a slug</p>" # 4 words
+ perf_test_values = [
+ ("</a" + "\t" * (max_len - 6) + "//>", None),
+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "..."),
+ ("&" * max_len, None), # no change
+ ("&" * bigger_len, "&" * max_len + "..."),
+ ("_X<<<<<<<<<<<>", None),
+ (valid_html * bigger_len, valid_html * 12 + "<p>Joel is...</p>"), # 50 words
+ ]
+ for value, expected in perf_test_values:
+ with self.subTest(value=value):
+ truncator = text.Truncator(value)
+ self.assertEqual(
+ expected if expected else value, truncator.words(50, html=True)
+ )
+
def test_truncate_html_words(self):
truncator = text.Truncator(
'<p id="par"><strong><em>The quick brown fox jumped over the lazy dog.</em></strong></p>'
