Red Hat Bugzilla – Bug 1202809
CVE-2015-2316 Django: possible denial of service in strip_tags()
Last modified: 2018-01-30 18:48:16 EST
The following flaw was found in Django: In a previous release, django.utils.html.strip_tags was changed to work iteratively. The problem is that the size of the input it is processing can increase on each iteration which results in an infinite loop in strip_tags(). This issue only affects versions of Python that haven't received a bugfix in HTMLParser (http://bugs.python.org/issue20288); namely Python < 2.7.7 and 3.3.5. Some operating system vendors have also backported the fix for the Python bug into their packages of earlier versions. To remedy this issue, strip_tags() will now return the original input if it detects the length of the string it is processing increases. Remember that absolutely NO guarantee is provided about the results of strip_tags() being HTML safe. So NEVER mark safe the result of a strip_tags() call without escaping it first, for example with django.utils.html.escape. This issue affects Django versions 1.8.x, 1.7.x, and 1.6.x. This issue is fixed in versions 1.8 release candidate 1 (or beta 3), 1.7.7, and 1.6.11. Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue.
Created attachment 1002792 [details] is-safe-url-master.diff
Created attachment 1002793 [details] strip-tags-1.8.diff
Created attachment 1002794 [details] strip-tags-1.7.diff
Created attachment 1002795 [details] strip-tags-1.6.diff
Created attachment 1002796 [details] strip-tags-master.diff
External References: https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1203614] Affects: epel-7 [bug 1203615]
python-django-1.6.11-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.