mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-30 16:44:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

[2.2.X] Fixed CVE-2019-14232 -- Adjusted regex to avoid backtracking issues when truncating HTML.

Browse source 
Thanks to Guido Vranken for initial report.
This commit is contained in:
Florian Apolloner 2019-07-15 11:46:09 +02:00 committed by Carlton Gibson
parent f9462f4c82
commit c3289717c6
6 changed files with 67 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

25
tests/utils_tests/test_text.py
View file

@ -86,6 +86,17 @@ class TestUtilsText(SimpleTestCase):
# lazy strings are handled correctly
self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…')
def test_truncate_chars_html(self):
perf_test_values = [
(('</a' + '\t' * 50000) + '//>', None),
('&' * 50000, '&' * 9 + ''),
('_X<<<<<<<<<<<>', None),
]
for value, expected in perf_test_values:
with self.subTest(value=value):
truncator = text.Truncator(value)
self.assertEqual(expected if expected else value, truncator.chars(10, html=True))
def test_truncate_words(self):
truncator = text.Truncator('The quick brown fox jumped over the lazy dog.')
self.assertEqual('The quick brown fox jumped over the lazy dog.', truncator.words(10))
@ -135,11 +146,17 @@ class TestUtilsText(SimpleTestCase):
truncator = text.Truncator('<i>Buenos d&iacute;as! &#x00bf;C&oacute;mo est&aacute;?</i>')
self.assertEqual('<i>Buenos d&iacute;as! &#x00bf;C&oacute;mo…</i>', truncator.words(3, html=True))
truncator = text.Truncator('<p>I &lt;3 python, what about you?</p>')
self.assertEqual('<p>I &lt;3 python…</p>', truncator.words(3, html=True))
self.assertEqual('<p>I &lt;3 python,…</p>', truncator.words(3, html=True))
re_tag_catastrophic_test = ('</a' + '\t' * 50000) + '//>'
truncator = text.Truncator(re_tag_catastrophic_test)
self.assertEqual(re_tag_catastrophic_test, truncator.words(500, html=True))
perf_test_values = [
('</a' + '\t' * 50000) + '//>',
'&' * 50000,
'_X<<<<<<<<<<<>',
]
for value in perf_test_values:
with self.subTest(value=value):
truncator = text.Truncator(value)
self.assertEqual(value, truncator.words(50, html=True))
def test_wrap(self):
digits = '1234 67 9'