Fix CVE-2024-27351

2024-03-05 15:27:21 +08:00 · 2024-03-05 15:27:21 +08:00 · 1c322af085
commit 1c322af085
parent e65da064a4
2 changed files with 128 additions and 1 deletions
--- a/CVE-2024-27351.patch
+++ b/CVE-2024-27351.patch
@ -0,0 +1,122 @@
+From 3c9a2771cc80821e041b16eb36c1c37af5349d4a Mon Sep 17 00:00:00 2001
+From: Shai Berger <shai@platonix.com>
+Date: Mon, 19 Feb 2024 13:56:37 +0100
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in
+ Truncator.words().
+
+Thanks Seokchan Yoon for the report.
+
+Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+---
+ django/utils/text.py           | 57 ++++++++++++++++++++++++++++++++--
+ tests/utils_tests/test_text.py | 26 ++++++++++++++++
+ 2 files changed, 81 insertions(+), 2 deletions(-)
+
+diff --git a/django/utils/text.py b/django/utils/text.py
+index 2663164..e1b835e 100644
+--- a/django/utils/text.py
+++ b/django/utils/text.py
+@@ -23,8 +23,61 @@ def capfirst(x):
+     return x[0].upper() + x[1:]
+ 
+ 
+-# Set up regular expressions
+-re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S)
+# ----- Begin security-related performance workaround -----
+
+# We used to have, below
+#
+# re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S)
+#
+# But it was shown that this regex, in the way we use it here, has some
+# catastrophic edge-case performance features. Namely, when it is applied to
+# text with only open brackets "<<<...". The class below provides the services
+# and correct answers for the use cases, but in these edge cases does it much
+# faster.
+re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S)
+re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S)
+
+
+class WordsRegex:
+    @staticmethod
+    def search(text, pos):
+        # Look for "<" or a non-tag word.
+        partial = re_prt.search(text, pos)
+        if partial is None or partial[1] is not None:
+            return partial
+
+        # "<" was found, look for a closing ">".
+        end = text.find(">", partial.end(0))
+        if end < 0:
+            # ">" cannot be found, look for a word.
+            return re_notag.search(text, pos + 1)
+        else:
+            # "<" followed by a ">" was found -- fake a match.
+            end += 1
+            return FakeMatch(text[partial.start(0) : end], end)
+
+
+class FakeMatch:
+    __slots__ = ["_text", "_end"]
+
+    def end(self, group=0):
+        assert group == 0, "This specific object takes only group=0"
+        return self._end
+
+    def __getitem__(self, group):
+        if group == 1:
+            return None
+        assert group == 0, "This specific object takes only group in {0,1}"
+        return self._text
+
+    def __init__(self, text, end):
+        self._text, self._end = text, end
+
+
+# ----- End security-related performance workaround -----
+
+# Set up regular expressions.
+re_words = WordsRegex
+ re_chars = _lazy_re_compile(r"<[^>]+?>|(.)", re.S)
+ re_tag = _lazy_re_compile(r"<(/)?(\S+?)(?:(\s*/)|\s.*?)?>", re.S)
+ re_newlines = _lazy_re_compile(r"\r\n|\r")  # Used in normalize_newlines
+diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
+index 7d20445..d1890e7 100644
+--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
+@@ -183,6 +183,32 @@ class TestUtilsText(SimpleTestCase):
+         truncator = text.Truncator("<p>I &lt;3 python, what about you?</p>")
+         self.assertEqual("<p>I &lt;3 python,…</p>", truncator.words(3, html=True))
+ 
+        # Only open brackets.
+        test = "<" * 60_000
+        truncator = text.Truncator(test)
+        self.assertEqual(truncator.words(1, html=True), test)
+
+        # Tags with special chars in attrs.
+        truncator = text.Truncator(
+            """<i style="margin: 5%; font: *;">Hello, my dear lady!</i>"""
+        )
+        self.assertEqual(
+            """<i style="margin: 5%; font: *;">Hello, my dear…</i>""",
+            truncator.words(3, html=True),
+        )
+
+        # Tags with special non-latin chars in attrs.
+        truncator = text.Truncator("""<p data-x="א">Hello, my dear lady!</p>""")
+        self.assertEqual(
+            """<p data-x="א">Hello, my dear…</p>""",
+            truncator.words(3, html=True),
+        )
+
+        # Misplaced brackets.
+        truncator = text.Truncator("hello >< world")
+        self.assertEqual(truncator.words(1, html=True), "hello…")
+        self.assertEqual(truncator.words(2, html=True), "hello >< world")
+
+     @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
+     def test_truncate_words_html_size_limit(self):
+         max_len = text.Truncator.MAX_LENGTH_HTML
+-- 
+2.33.0
+
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.2.3
-Release:	6
+Release:	7
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@ -13,6 +13,8 @@ Patch1:         CVE-2023-43665.patch
 Patch2:         CVE-2023-46695.patch
 # https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2
 Patch3:         CVE-2024-24680.patch
+# https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a
+Patch4:         CVE-2024-27351.patch

 BuildArch:	noarch
 %description
@ -79,6 +81,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Tue Mar 05 2024 yaoxin <yao_xin001@hoperun.com> - 4.2.3-7
+- Fix CVE-2024-27351
+
 * Wed Feb 07 2024 yaoxin <yao_xin001@hoperun.com> - 4.2.3-6
 - Fix CVE-2024-24680