CVE-2024-38875: Denial-Of-Service through uncontrolled resource consumption caused by poor time complexity of strip_punctuation .

CVE-2024-38875 is a vulnerability where an attacker can cause uncontrolled resource consumption by passing an input with a lot of opening braces and closing braces to `strip_punctuation`. The function is used by the `urlize` and `urlizetrunc` filters. Here is the vulnerable function: ``` # SNIP def trim_punctuation(self, word): """ Trim trailing and wrapping punctuation from `word`. Return the items of the new state. """ lead, middle, trail = "", word, "" # Continue trimming until middle remains unchanged. trimmed_something = True while trimmed_something: # <--------- This loop has O(n^2) worst case time complexity trimmed_something = False # Trim wrapping punctuation. for opening, closing in self.wrapping_punctuation: if middle.startswith(opening): middle = middle.removeprefix(opening) lead += opening trimmed_something = True # Keep parentheses at the end only if they're balanced. if ( middle.endswith(closing) and middle.count(closing) == middle.count(opening) + 1 ): middle = middle.removesuffix(closing) trail = closing + trail trimmed_something = True # Trim trailing punctuation (after trimming wrapping punctuation, # as encoded entities contain ';'). Unescape entities to avoid # breaking them by removing ';'. middle_unescaped = html.unescape(middle) stripped = middle_unescaped.rstrip(self.trailing_punctuation_chars) if middle_unescaped != stripped: punctuation_count = len(middle_unescaped) - len(stripped) trail = middle[-punctuation_count:] + trail middle = middle[:-punctuation_count] trimmed_something = True return lead, middle, trail # SNIP ``` I have attached the files which I initially sent when I reported this vulnerability which demonstrate this vulnerability. My own personal email address is: `[email protected]` ## Impact An attacker can cause Denial-Of-Service and uncontrolled resource consumption by passing a specially crafted string to `strip_punctuation`.