CVE-2023-43665: Denial-of-service possibility in django.utils.text.Truncator¶

Following the fix for CVE 2019-14232, the regular expressions used in the implementation of django.utils.text.Truncator’s chars() and words() methods (with html=True) were revised and improved. However, these regular expressions still exhibited linear backtracking complexity, so when given a very long, potentially malformed HTML input, the evaluation would still be slow, leading to a potential denial of service vulnerability.

The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus also vulnerable.

The input processed by Truncator, when operating in HTML mode, has been limited to the first five million characters in order to avoid potential performance and memory issues.

Bugfixes¶

• Fixed a regression in Django 4.2.5 where overriding the deprecated DEFAULT_FILE_STORAGE and STATICFILES_STORAGE settings in tests caused the main STORAGES to mutate (#34821).

• Fixed a regression in Django 4.2 that caused unnecessary casting of string based fields (CharField, EmailField, TextField, CICharField, CIEmailField, and CITextField) used with the __isnull lookup on PostgreSQL. As a consequence, indexes using an __isnull expression or condition created before Django 4.2 wouldn’t be used by the query planner, leading to a performance regression (#34840).

  You may need to recreate such indexes created in your database with Django 4.2 to 4.2.5, as they contain unnecessary ::text casting. Find candidate indexes with this query:

  SELECT indexname, indexdef
  FROM pg_indexes
  WHERE indexdef LIKE '%::text IS %NULL';