[Django] #33245: utils.urlize isn't thread-safe

[Django]

#33245: utils.urlize isn't thread-safe
-----------------------------------------+------------------------
               Reporter:  Tim McCurrach  |          Owner:  nobody
                   Type:  Bug            |         Status:  new
              Component:  Utilities      |        Version:  dev
               Severity:  Normal         |       Keywords:
           Triage Stage:  Unreviewed     |      Has patch:  0
    Needs documentation:  0              |    Needs tests:  0
Patch needs improvement:  0              |  Easy pickings:  0
                  UI/UX:  0              |
-----------------------------------------+------------------------
 Since [changeset:"e567670b1abe61af4acfaa6a6a7e92a7acfa8b00" e567670b]
 `utils.urlize` isn't thread safe!

 === To replicate bug: ===

 1. Write 2 views that both use the `urlizetrunc` tag a large number of
 times (between 10^4^ and 10^5^ was enough on my computer).
 2. Use different url length limits (for truncation) for each view
 3. Load the 2 views simultaneously

 The resulting pages will have inconsistent url limits, as the
 `trim_url_limit` value from one view leaks over to the other.

 === The cause ===
 Since `urlize` was changed to become class-based `trim_url_limit`,
 `nofollow`, `autoescape`, and `trim_url_limit`  are stored as instance
 attributes. `Urlizer` is instantiated just once and then used within
 `urlize` which allows for these values to be shared between function
 calls.

 === The solution ===
  - The obvious solution would be to pass the values listed above directly
 to `handle_word` so that they are not stored on the instance.
  - My only question is: Does removing these values from the class instance
 nullify the ease of customisation the original ticket brought about? If
 this is the case, the better solution might just be to revert the change.
  - An alternative approach would be to create a new instance of `Urlizer`
 on each call of `urlize`, but since this can be called many times in a
 single request, this would likely have a performance impact.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/33245>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/056.5a6ad936a4633139db0831300aaf2b5d%40djangoproject.com.