aboutsummaryrefslogtreecommitdiffstats
path: root/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch')
-rw-r--r--meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch90
1 files changed, 90 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
new file mode 100644
index 0000000000..b7dda41f8f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
@@ -0,0 +1,90 @@
+From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Wed, 29 Nov 2023 12:49:41 +0000
+Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
+ UsernameField on Windows.
+
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+
+CVE: CVE-2023-46695
+
+Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
+
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ django/contrib/auth/forms.py | 10 +++++++++-
+ docs/releases/2.2.28.txt | 14 ++++++++++++++
+ tests/auth_tests/test_forms.py | 8 +++++++-
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index e6f73fe..26d3ca7 100644
+--- a/django/contrib/auth/forms.py
++++ b/django/contrib/auth/forms.py
+@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
+
+ class UsernameField(forms.CharField):
+ def to_python(self, value):
+- return unicodedata.normalize('NFKC', super().to_python(value))
++ value = super().to_python(value)
++ if self.max_length is not None and len(value) > self.max_length:
++ # Normalization can increase the string length (e.g.
++ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
++ # point in normalizing invalid data. Moreover, Unicode
++ # normalization is very slow on Windows and can be a DoS attack
++ # vector.
++ return value
++ return unicodedata.normalize("NFKC", value)
+
+
+ class UserCreationForm(forms.ModelForm):
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 6a38e9c..c653cb6 100644
+--- a/docs/releases/2.2.28.txt
++++ b/docs/releases/2.2.28.txt
+@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
+ The input processed by ``Truncator``, when operating in HTML mode, has been
+ limited to the first five million characters in order to avoid potential
+ performance and memory issues.
++
++Backporting the CVE-2023-46695 fix on Django 2.2.28.
++
++CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
++=========================================================================================
++
++The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
++Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
++subject to a potential denial of service attack via certain inputs with a very
++large number of Unicode characters.
++
++In order to avoid the vulnerability, invalid values longer than
++``UsernameField.max_length`` are no longer normalized, since they cannot pass
++validation anyway.
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index bed23af..e73d4b8 100644
+--- a/tests/auth_tests/test_forms.py
++++ b/tests/auth_tests/test_forms.py
+@@ -6,7 +6,7 @@ from django import forms
+ from django.contrib.auth.forms import (
+ AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
+ PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
+- SetPasswordForm, UserChangeForm, UserCreationForm,
++ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
+ )
+ from django.contrib.auth.models import User
+ from django.contrib.auth.signals import user_login_failed
+@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
+ self.assertNotEqual(user.username, ohm_username)
+ self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA
+
++ def test_invalid_username_no_normalize(self):
++ field = UsernameField(max_length=254)
++ # Usernames are not normalized if they are too long.
++ self.assertEqual(field.to_python("½" * 255), "½" * 255)
++ self.assertEqual(field.to_python("ff" * 254), "ff" * 254)
++
+ def test_duplicate_normalized_unicode(self):
+ """
+ To prevent almost identical usernames, visually identical but differing
+--
+2.40.0
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-01 00:31:43 +0000