Fix CVE-2023-41164

2023-09-14 14:38:28 +08:00 · 2023-09-14 14:38:28 +08:00 · 41475a8608
commit 41475a8608
parent 2bb136248f
2 changed files with 90 additions and 1 deletions
--- a/CVE-2023-41164.patch
+++ b/CVE-2023-41164.patch
@ -0,0 +1,85 @@
+From 9c51b4dcfa0cefcb48231f4d71cafa80821f87b9 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Tue, 22 Aug 2023 08:53:03 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in
+ django.utils.encoding.uri_to_iri().
+
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+
+Origin: https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9
+
+Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
+---
+ django/utils/encoding.py           |  6 ++++--
+ docs/releases/3.2.21.txt           |  7 ++++++-
+ docs/releases/4.1.11.txt           |  7 ++++++-
+ docs/releases/4.2.5.txt            |  7 +++++++
+ tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++-
+ 5 files changed, 43 insertions(+), 5 deletions(-)
+
+diff --git a/django/utils/encoding.py b/django/utils/encoding.py
+index 43847b538510..23473930fd96 100644
+--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
+@@ -219,6 +219,7 @@ def repercent_broken_unicode(path):
+     repercent-encode any octet produced that is not part of a strictly legal
+     UTF-8 octet sequence.
+     """
+    changed_parts = []
+     while True:
+         try:
+             path.decode()
+@@ -226,9 +227,10 @@ def repercent_broken_unicode(path):
+             # CVE-2019-14235: A recursion shouldn't be used since the exception
+             # handling uses massive amounts of memory
+             repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
+-            path = path[: e.start] + repercent.encode() + path[e.end :]
+            changed_parts.append(path[: e.start] + repercent.encode())
+            path = path[e.end :]
+         else:
+-            return path
+            return b"".join(changed_parts) + path
+ 
+ 
+ def filepath_to_uri(path):
+diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py
+index 6dea260b841b..2b52b1607c97 100644
+--- a/tests/utils_tests/test_encoding.py
+++ b/tests/utils_tests/test_encoding.py
+@@ -1,9 +1,10 @@
+ import datetime
+import inspect
+ import sys
+ import unittest
+ from pathlib import Path
+ from unittest import mock
+-from urllib.parse import quote_plus
+from urllib.parse import quote, quote_plus
+ 
+ from django.test import SimpleTestCase
+ from django.utils.encoding import (
+@@ -120,6 +121,24 @@ def test_repercent_broken_unicode_recursion_error(self):
+         except RecursionError:
+             self.fail("Unexpected RecursionError raised.")
+ 
+    def test_repercent_broken_unicode_small_fragments(self):
+        data = b"test\xfctest\xfctest\xfc"
+        decoded_paths = []
+
+        def mock_quote(*args, **kwargs):
+            # The second frame is the call to repercent_broken_unicode().
+            decoded_paths.append(inspect.currentframe().f_back.f_locals["path"])
+            return quote(*args, **kwargs)
+
+        with mock.patch("django.utils.encoding.quote", mock_quote):
+            self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC")
+
+        # decode() is called on smaller fragment of the path each time.
+        self.assertEqual(
+            decoded_paths,
+            [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"],
+        )
+
+ 
+ class TestRFC3987IEncodingUtils(unittest.TestCase):
+     def test_filepath_to_uri(self):
--- a/python-django.spec
+++ b/python-django.spec
@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.2.3
-Release:	1
+Release:	2
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
 Source0:        https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca76c8b670ef247583349a8f5241cdb3c98eeb92726ff/Django-4.2.3.tar.gz
+Patch0:         CVE-2023-41164.patch

 BuildArch:	noarch
 %description
@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Thu Sep 14 2023 wangkai <13474090681@163.com> - 4.2.3-2
+- Fix CVE-2023-41164
+
 * Tue Jul 11 2023 chenzixuan <chenzixuan@kylinos.cn> - 4.2.3-1
 - Update to 4.2.3