[Django] #35675: Reduce impact of parsing crafted templates with repeat tags

Tue, 13 Aug 2024 08:13:30 -0700 

#35675: Reduce impact of parsing crafted templates with repeat tags
-----------------------------+-------------------------------------------
     Reporter:  Jake Howard  |                     Type:  Bug
       Status:  new          |                Component:  Template system
      Version:               |                 Severity:  Normal
     Keywords:               |             Triage Stage:  Unreviewed
    Has patch:  0            |      Needs documentation:  0
  Needs tests:  0            |  Patch needs improvement:  0
Easy pickings:  0            |                    UI/UX:  0
-----------------------------+-------------------------------------------
 The template system uses a regex to extract template tags from text. Given
 certain inputs, this can take an excessive amount of time:

 {{{#!python
 In [2]: %timeit Template("{%" * 2000)
 34.7 ms ± 153 µs per loop (mean ± std. dev. of 7 runs, 10 loops each)

 In [3]: %timeit Template("{%" * 10000)
 877 ms ± 1.49 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)

 In [4]: %timeit Template("{%" * 20000)
 3.49 s ± 47 ms per loop (mean ± std. dev. of 7 runs, 1 loop each)

 In [5]: %timeit Template("{%")
 11.5 µs ± 55.3 ns per loop (mean ± std. dev. of 7 runs, 100,000 loops
 each)
 }}}

 The cause is excessive backtracking in the
 
[https://github.com/django/django/blob/b99c608ea10cabc97a6b251cdb6e81ef2a83bdcf/django/template/base.py#L89C23-L89C48
 pattern used]. Since the template system is so versatile and performance-
 critical, fixing the issue appears non-trivial.

 Note: This bug was raised with the Security Team prior to opening, however
 was not deemed a security vulnerability since parsing untrusted (or semi-
 trusted) templates is
 [https://docs.djangoproject.com/en/5.0/topics/templates/ explicitly warned
 against].
-- 
Ticket URL: <https://code.djangoproject.com/ticket/35675>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/010701914c4d055f-bc51cf6f-1c35-4dc1-b572-ce49684d4fff-000000%40eu-central-1.amazonses.com.

Reply via email to