diff options
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch')
| -rw-r--r-- | meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch new file mode 100644 index 0000000000..9bc38b0cca --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch @@ -0,0 +1,105 @@ +From 9c95e8fec62153f8dfcc45a70b8a68d74333a66f Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak <felisiak.mariusz@gmail.com> +Date: Tue, 26 Sep 2023 10:23:30 +0000 +Subject: [PATCH] Fixed CVE-2023-41164 -- Fixed potential DoS in + django.utils.encoding.uri_to_iri(). + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. + +Co-authored-by: nessita <124304+nessita@users.noreply.github.com> + +CVE: CVE-2023-41164 + +Upstream-Status: Backport [https://github.com/django/django/commit/3f41d6d62929dfe53eda8109b3b836f26645bdce] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + django/utils/encoding.py | 6 ++++-- + docs/releases/2.2.28.txt | 9 +++++++++ + tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++- + 3 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/django/utils/encoding.py b/django/utils/encoding.py +index 98da647..3769702 100644 +--- a/django/utils/encoding.py ++++ b/django/utils/encoding.py +@@ -225,6 +225,7 @@ def repercent_broken_unicode(path): + repercent-encode any octet produced that is not part of a strictly legal + UTF-8 octet sequence. + """ ++ changed_parts = [] + while True: + try: + path.decode() +@@ -232,9 +233,10 @@ def repercent_broken_unicode(path): + # CVE-2019-14235: A recursion shouldn't be used since the exception + # handling uses massive amounts of memory + repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") +- path = path[:e.start] + force_bytes(repercent) + path[e.end:] ++ changed_parts.append(path[: e.start] + repercent.encode()) ++ path = path[e.end :] + else: +- return path ++ return b"".join(changed_parts) + path + + + def filepath_to_uri(path): +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index ab4884b..40eb230 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -47,3 +47,12 @@ CVE-2023-36053: Potential regular expression denial of service vulnerability in + ``EmailValidator`` and ``URLValidator`` were subject to potential regular + expression denial of service attack via a very large number of domain name + labels of emails and URLs. ++ ++Backporting the CVE-2023-41164 fix on Django 2.2.28. ++ ++CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` ++=================================================================================================== ++ ++``django.utils.encoding.uri_to_iri()`` was subject to potential denial of ++service attack via certain inputs with a very large number of Unicode ++characters. +diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py +index ea7ba5f..93a3162 100644 +--- a/tests/utils_tests/test_encoding.py ++++ b/tests/utils_tests/test_encoding.py +@@ -1,8 +1,9 @@ + import datetime ++import inspect + import sys + import unittest + from unittest import mock +-from urllib.parse import quote_plus ++from urllib.parse import quote, quote_plus + + from django.test import SimpleTestCase + from django.utils.encoding import ( +@@ -100,6 +101,24 @@ class TestEncodingUtils(SimpleTestCase): + except RecursionError: + self.fail('Unexpected RecursionError raised.') + ++ def test_repercent_broken_unicode_small_fragments(self): ++ data = b"test\xfctest\xfctest\xfc" ++ decoded_paths = [] ++ ++ def mock_quote(*args, **kwargs): ++ # The second frame is the call to repercent_broken_unicode(). ++ decoded_paths.append(inspect.currentframe().f_back.f_locals["path"]) ++ return quote(*args, **kwargs) ++ ++ with mock.patch("django.utils.encoding.quote", mock_quote): ++ self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC") ++ ++ # decode() is called on smaller fragment of the path each time. ++ self.assertEqual( ++ decoded_paths, ++ [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"], ++ ) ++ + + class TestRFC3987IEncodingUtils(unittest.TestCase): + +-- +2.40.0 |