From 4f2765232336b8ad0afd8017d9d912ae93470017 Mon Sep 17 00:00:00 2001
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Date: Tue, 25 Feb 2025 09:40:54 +0100
Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
 wordwrap template filter.

Thanks sw0rd1ight for the report.

Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
---
 django/utils/text.py                          | 28 +++++++------------
 docs/releases/2.2.27.txt                      |  8 +++++-
 .../filter_tests/test_wordwrap.py             | 11 ++++++++
 3 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/django/utils/text.py b/django/utils/text.py
index 6631a00..c44d452 100644
--- a/django/utils/text.py
+++ b/django/utils/text.py
@@ -1,6 +1,7 @@
 import html.entities
 import re
 import unicodedata
+import textwrap
 from gzip import GzipFile
 from io import BytesIO
 
@@ -88,24 +89,15 @@ def wrap(text, width):
     Don't wrap long words, thus the output text may have lines longer than
     ``width``.
     """
-    def _generator():
-        for line in text.splitlines(True):  # True keeps trailing linebreaks
-            max_width = min((line.endswith('\n') and width + 1 or width), width)
-            while len(line) > max_width:
-                space = line[:max_width + 1].rfind(' ') + 1
-                if space == 0:
-                    space = line.find(' ') + 1
-                    if space == 0:
-                        yield line
-                        line = ''
-                        break
-                yield '%s\n' % line[:space - 1]
-                line = line[space:]
-                max_width = min((line.endswith('\n') and width + 1 or width), width)
-            if line:
-                yield line
-    return ''.join(_generator())
-
+    wrapper = textwrap.TextWrapper(
+        width=width,
+        break_long_words=False,
+        break_on_hyphens=False,
+    )
+    result = []
+    for line in text.splitlines(True):
+        result.extend(wrapper.wrap(line))
+    return "\n".join(result)
 
 class Truncator(SimpleLazyObject):
     """
diff --git a/docs/releases/2.2.27.txt b/docs/releases/2.2.27.txt
index 688a482..f34bef8 100644
--- a/docs/releases/2.2.27.txt
+++ b/docs/releases/2.2.27.txt
@@ -4,7 +4,13 @@ Django 2.2.27 release notes
 
 *February 1, 2022*
 
-Django 2.2.27 fixes two security issues with severity "medium" in 2.2.26.
+Django 2.2.27 fixes three security issues with severity "medium" in 2.2.26.
+
+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
+=========================================================================================
+
+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
+potential denial-of-service attack when used with very long strings.
 
 CVE-2022-22818: Possible XSS via ``{% debug %}`` template tag
 =============================================================
diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
index 02f8605..f61842c 100644
--- a/tests/template_tests/filter_tests/test_wordwrap.py
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
@@ -51,3 +51,14 @@ class FunctionTests(SimpleTestCase):
             ), 14),
             'this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\nI\'m afraid',
         )
+
+    def test_wrap_long_text(self):
+        long_text = (
+            "this is a long paragraph of text that really needs"
+            " to be wrapped I'm afraid " * 20_000
+        )
+        self.assertIn(
+            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
+            "I'm afraid",
+            wordwrap(long_text, 10),
+        )
-- 
2.46.0