1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
From 5fd7c868791b635ef20d2991cc028516b9021dd4 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Tue, 25 Feb 2025 09:40:54 +0100
Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
wordwrap template filter.
Thanks sw0rd1ight for the report.
Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
CVE: CVE-2025-26699
Upstream-Status: Backport [https://github.com/django/django/commit/e88f7376fe68]
Backport Changes:
- The fix has been adapted from the upstream Django v4.2.20 patch for
CVE-2025-26699, applied to the python3-django_5.0.11.bb recipe.
- The upstream patch includes changes to a 4.2.20.txt release-note file.
This file does not exist in the Django 5.0.11 source tree, so it was
intentionally omitted from this backport.
- Only the relevant code changes from the upstream patch were applied.
No functional differences exist in the vulnerable logic between
Django 4.2.x and 5.0.x.
(cherry picked from commit e88f7376fe68dbf4ebaf11fad1513ce700b45860)
Signed-off-by: Anil Dongare <adongare@cisco.com>
---
django/utils/text.py | 28 +++++++------------
.../filter_tests/test_wordwrap.py | 11 ++++++++
2 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/django/utils/text.py b/django/utils/text.py
index d992f80dd2..36ab6a9efc 100644
--- a/django/utils/text.py
+++ b/django/utils/text.py
@@ -1,6 +1,7 @@
import gzip
import re
import secrets
+import textwrap
import unicodedata
from gzip import GzipFile
from gzip import compress as gzip_compress
@@ -97,24 +98,15 @@ def wrap(text, width):
``width``.
"""
- def _generator():
- for line in text.splitlines(True): # True keeps trailing linebreaks
- max_width = min((line.endswith("\n") and width + 1 or width), width)
- while len(line) > max_width:
- space = line[: max_width + 1].rfind(" ") + 1
- if space == 0:
- space = line.find(" ") + 1
- if space == 0:
- yield line
- line = ""
- break
- yield "%s\n" % line[: space - 1]
- line = line[space:]
- max_width = min((line.endswith("\n") and width + 1 or width), width)
- if line:
- yield line
-
- return "".join(_generator())
+ wrapper = textwrap.TextWrapper(
+ width=width,
+ break_long_words=False,
+ break_on_hyphens=False,
+ )
+ result = []
+ for line in text.splitlines(True):
+ result.extend(wrapper.wrap(line))
+ return "\n".join(result)
def add_truncation_text(text, truncate=None):
diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
index 88fbd274da..4afa1dd234 100644
--- a/tests/template_tests/filter_tests/test_wordwrap.py
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase):
"this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
"I'm afraid",
)
+
+ def test_wrap_long_text(self):
+ long_text = (
+ "this is a long paragraph of text that really needs"
+ " to be wrapped I'm afraid " * 20_000
+ )
+ self.assertIn(
+ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
+ "I'm afraid",
+ wordwrap(long_text, 10),
+ )
--
2.43.5
|
