Opened 11 years ago

Closed 11 years ago

#7336 closed (invalid)

DoS on malformed markdown input

Reported by: anders@… Owned by: nobody
Component: Template system Version: master
Severity: Keywords: markdown
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


When using the markdown template filter to format text, input with malformed markdown like the following will cause the entire django server to hang, consuming 100% CPU:

 [First Link[ ( and [Second Blah Link]( [Third Link](

Note the "[First Link[" typo. That seems to send the markdown parser into some kind of loop, making it do exponentially more work for each link that appears in the text after that point. There's something more to it that that amazon url triggers. Simpler urls in succeeding links don't cause it to behave quite as badly and I haven't had time to make a simpler test case.

This was first noticed on a production site being served with mod_wsgi (hitting the url that served up the offending content would make the entire site unresponsive until the apache process was manually killed) and verified in a standalone development environment.

Change History (1)

comment:1 Changed 11 years ago by Jacob

Resolution: invalid
Status: newclosed

Sounds like this a bug with python-markdown, not Django; I'd file this bug there.

Note: See TracTickets for help on using tickets.
Back to Top