From 1c322af085b99fc44071080076e037444437aae3 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 5 Mar 2024 15:27:21 +0800 Subject: [PATCH] Fix CVE-2024-27351 --- CVE-2024-27351.patch | 122 +++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 7 ++- 2 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-27351.patch diff --git a/CVE-2024-27351.patch b/CVE-2024-27351.patch new file mode 100644 index 0000000..d669808 --- /dev/null +++ b/CVE-2024-27351.patch @@ -0,0 +1,122 @@ +From 3c9a2771cc80821e041b16eb36c1c37af5349d4a Mon Sep 17 00:00:00 2001 +From: Shai Berger +Date: Mon, 19 Feb 2024 13:56:37 +0100 +Subject: [PATCH] [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in + Truncator.words(). + +Thanks Seokchan Yoon for the report. + +Co-Authored-By: Mariusz Felisiak +--- + django/utils/text.py | 57 ++++++++++++++++++++++++++++++++-- + tests/utils_tests/test_text.py | 26 ++++++++++++++++ + 2 files changed, 81 insertions(+), 2 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 2663164..e1b835e 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -23,8 +23,61 @@ def capfirst(x): + return x[0].upper() + x[1:] + + +-# Set up regular expressions +-re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S) ++# ----- Begin security-related performance workaround ----- ++ ++# We used to have, below ++# ++# re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S) ++# ++# But it was shown that this regex, in the way we use it here, has some ++# catastrophic edge-case performance features. Namely, when it is applied to ++# text with only open brackets "<<<...". The class below provides the services ++# and correct answers for the use cases, but in these edge cases does it much ++# faster. ++re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S) ++re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S) ++ ++ ++class WordsRegex: ++ @staticmethod ++ def search(text, pos): ++ # Look for "<" or a non-tag word. ++ partial = re_prt.search(text, pos) ++ if partial is None or partial[1] is not None: ++ return partial ++ ++ # "<" was found, look for a closing ">". ++ end = text.find(">", partial.end(0)) ++ if end < 0: ++ # ">" cannot be found, look for a word. ++ return re_notag.search(text, pos + 1) ++ else: ++ # "<" followed by a ">" was found -- fake a match. ++ end += 1 ++ return FakeMatch(text[partial.start(0) : end], end) ++ ++ ++class FakeMatch: ++ __slots__ = ["_text", "_end"] ++ ++ def end(self, group=0): ++ assert group == 0, "This specific object takes only group=0" ++ return self._end ++ ++ def __getitem__(self, group): ++ if group == 1: ++ return None ++ assert group == 0, "This specific object takes only group in {0,1}" ++ return self._text ++ ++ def __init__(self, text, end): ++ self._text, self._end = text, end ++ ++ ++# ----- End security-related performance workaround ----- ++ ++# Set up regular expressions. ++re_words = WordsRegex + re_chars = _lazy_re_compile(r"<[^>]+?>|(.)", re.S) + re_tag = _lazy_re_compile(r"<(/)?(\S+?)(?:(\s*/)|\s.*?)?>", re.S) + re_newlines = _lazy_re_compile(r"\r\n|\r") # Used in normalize_newlines +diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py +index 7d20445..d1890e7 100644 +--- a/tests/utils_tests/test_text.py ++++ b/tests/utils_tests/test_text.py +@@ -183,6 +183,32 @@ class TestUtilsText(SimpleTestCase): + truncator = text.Truncator("

I <3 python, what about you?

") + self.assertEqual("

I <3 python,…

", truncator.words(3, html=True)) + ++ # Only open brackets. ++ test = "<" * 60_000 ++ truncator = text.Truncator(test) ++ self.assertEqual(truncator.words(1, html=True), test) ++ ++ # Tags with special chars in attrs. ++ truncator = text.Truncator( ++ """Hello, my dear lady!""" ++ ) ++ self.assertEqual( ++ """Hello, my dear…""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Tags with special non-latin chars in attrs. ++ truncator = text.Truncator("""

Hello, my dear lady!

""") ++ self.assertEqual( ++ """

Hello, my dear…

""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Misplaced brackets. ++ truncator = text.Truncator("hello >< world") ++ self.assertEqual(truncator.words(1, html=True), "hello…") ++ self.assertEqual(truncator.words(2, html=True), "hello >< world") ++ + @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) + def test_truncate_words_html_size_limit(self): + max_len = text.Truncator.MAX_LENGTH_HTML +-- +2.33.0 + diff --git a/python-django.spec b/python-django.spec index 63bad5f..6c210ae 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 4.2.3 -Release: 6 +Release: 7 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -13,6 +13,8 @@ Patch1: CVE-2023-43665.patch Patch2: CVE-2023-46695.patch # https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2 Patch3: CVE-2024-24680.patch +# https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a +Patch4: CVE-2024-27351.patch BuildArch: noarch %description @@ -79,6 +81,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Tue Mar 05 2024 yaoxin - 4.2.3-7 +- Fix CVE-2024-27351 + * Wed Feb 07 2024 yaoxin - 4.2.3-6 - Fix CVE-2024-24680