packages/python-django
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
python-django/CVE-2025-32873.patch
starlet-dx 67e7bd24c2 Fix CVE-2025-32873 
(cherry picked from commit 97f56e17d550c32bedd01e9e8963207f4b4c2f23)
2025-05-09 10:57:08 +08:00

86 lines
3.3 KiB
Diff
Raw Blame History

From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Tue, 8 Apr 2025 16:30:17 +0200
Subject: [PATCH] [4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in
strip_tags().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
Origin: https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c
---
django/utils/html.py | 6 ++++++
tests/utils_tests/test_html.py | 15 ++++++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/django/utils/html.py b/django/utils/html.py
index a3a7238..84c37d1 100644
--- a/django/utils/html.py
+++ b/django/utils/html.py
@@ -17,6 +17,9 @@ from django.utils.text import normalize_newlines
MAX_URL_LENGTH = 2048
MAX_STRIP_TAGS_DEPTH = 50
+# HTML tag that opens but has no closing ">" after 1k+ chars.
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
+
@keep_lazy(SafeString)
def escape(text):
@@ -175,6 +178,9 @@ def _strip_once(value):
def strip_tags(value):
"""Return the given HTML with all tags stripped."""
value = str(value)
+ for long_open_tag in long_open_tag_without_closing_re.finditer(value):
+ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
+ raise SuspiciousOperation
# Note: in typical case this loop executes _strip_once twice (the second
# execution does not remove any more tags).
strip_tags_depth = 0
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
index 579bb2a..25168e2 100644
--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
@@ -115,17 +115,30 @@ class TestUtilsHtml(SimpleTestCase):
("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
("X<<<<br>br>br>br>X", "XX"),
("<" * 50 + "a>" * 50, ""),
+ (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
+ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
+ ("<" + "a" * 1_002, "<" + "a" * 1_002),
)
for value, output in items:
with self.subTest(value=value, output=output):
self.check_output(strip_tags, value, output)
self.check_output(strip_tags, lazystr(value), output)
- def test_strip_tags_suspicious_operation(self):
+ def test_strip_tags_suspicious_operation_max_depth(self):
value = "<" * 51 + "a>" * 51, "<a>"
with self.assertRaises(SuspiciousOperation):
strip_tags(value)
+ def test_strip_tags_suspicious_operation_large_open_tags(self):
+ items = [
+ ">" + "<a" * 501,
+ "<a" * 50 + "a" * 950,
+ ]
+ for value in items:
+ with self.subTest(value=value):
+ with self.assertRaises(SuspiciousOperation):
+ strip_tags(value)
+
def test_strip_tags_files(self):
# Test with more lengthy content (also catching performance regressions)
for filename in ("strip_tags1.html", "strip_tags2.txt"):
--
2.49.0
Reference in New Issue View Git Blame Copy Permalink