From ab015f6eb5b99a1b3de71c1cfb0f4df2efc086bb Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Sun, 8 Oct 2023 11:18:39 +0800
Subject: [PATCH] Fix CVE-2023-43665

---
 CVE-2023-43665.patch | 167 +++++++++++++++++++++++++++++++++++++++++++
 python-django.spec   |   7 +-
 2 files changed, 173 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-43665.patch

diff --git a/CVE-2023-43665.patch b/CVE-2023-43665.patch
new file mode 100644
index 0000000..1e1270a
--- /dev/null
+++ b/CVE-2023-43665.patch
@@ -0,0 +1,167 @@
+From be9c27c4d18c2e6a5be8af4e53c0797440794473 Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Tue, 19 Sep 2023 09:51:48 -0300
+Subject: [PATCH] [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in
+ django.utils.text.Truncator when truncating HTML text.
+
+Thanks Wenchao Li of Alibaba Group for the report.
+
+Origin:
+https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
+---
+ django/utils/text.py            | 17 ++++++++++++++++-
+ docs/ref/templates/builtins.txt | 20 ++++++++++++++++++++
+ tests/utils_tests/test_text.py  | 33 +++++++++++++++++++++++++--------
+ 3 files changed, 61 insertions(+), 9 deletions(-)
+
+diff --git a/django/utils/text.py b/django/utils/text.py
+index 86d3b52..2663164 100644
+--- a/django/utils/text.py
++++ b/django/utils/text.py
+@@ -67,8 +67,14 @@ def wrap(text, width):
+ class Truncator(SimpleLazyObject):
+     """
+     An object used to truncate text, either by characters or words.
++
++    When truncating HTML text (either chars or words), input will be limited to
++    at most `MAX_LENGTH_HTML` characters.
+     """
+ 
++    # 5 million characters are approximately 4000 text pages or 3 web pages.
++    MAX_LENGTH_HTML = 5_000_000
++
+     def __init__(self, text):
+         super().__init__(lambda: str(text))
+ 
+@@ -164,6 +170,11 @@ class Truncator(SimpleLazyObject):
+         if words and length <= 0:
+             return ""
+ 
++        size_limited = False
++        if len(text) > self.MAX_LENGTH_HTML:
++            text = text[: self.MAX_LENGTH_HTML]
++            size_limited = True
++
+         html4_singlets = (
+             "br",
+             "col",
+@@ -220,10 +231,14 @@ class Truncator(SimpleLazyObject):
+                 # Add it to the start of the open tags list
+                 open_tags.insert(0, tagname)
+ 
++        truncate_text = self.add_truncation_text("", truncate)
++
+         if current_len <= length:
++            if size_limited and truncate_text:
++                text += truncate_text
+             return text
++
+         out = text[:end_text_pos]
+-        truncate_text = self.add_truncation_text("", truncate)
+         if truncate_text:
+             out += truncate_text
+         # Close any tags still open
+diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
+index bee7807..02d6431 100644
+--- a/docs/ref/templates/builtins.txt
++++ b/docs/ref/templates/builtins.txt
+@@ -2651,6 +2651,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
+ 
+ Newlines in the HTML content will be preserved.
+ 
++.. admonition:: Size of input string
++
++    Processing large, potentially malformed HTML strings can be
++    resource-intensive and impact service performance. ``truncatechars_html``
++    limits input to the first five million characters.
++
++.. versionchanged:: 3.2.22
++
++    In older versions, strings over five million characters were processed.
++
+ .. templatefilter:: truncatewords
+ 
+ ``truncatewords``
+@@ -2693,6 +2703,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
+ 
+ Newlines in the HTML content will be preserved.
+ 
++.. admonition:: Size of input string
++
++    Processing large, potentially malformed HTML strings can be
++    resource-intensive and impact service performance. ``truncatewords_html``
++    limits input to the first five million characters.
++
++.. versionchanged:: 3.2.22
++
++    In older versions, strings over five million characters were processed.
++
+ .. templatefilter:: unordered_list
+ 
+ ``unordered_list``
+diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
+index cb2959f..7d20445 100644
+--- a/tests/utils_tests/test_text.py
++++ b/tests/utils_tests/test_text.py
+@@ -1,5 +1,6 @@
+ import json
+ import sys
++from unittest.mock import patch
+ 
+ from django.core.exceptions import SuspiciousFileOperation
+ from django.test import SimpleTestCase
+@@ -94,11 +95,17 @@ class TestUtilsText(SimpleTestCase):
+             text.Truncator(lazystr("The quick brown fox")).chars(10), "The quick…"
+         )
+ 
+-    def test_truncate_chars_html(self):
++    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
++    def test_truncate_chars_html_size_limit(self):
++        max_len = text.Truncator.MAX_LENGTH_HTML
++        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
++        valid_html = "<p>Joel is a slug</p>"  # 14 chars
+         perf_test_values = [
+-            (("</a" + "\t" * 50000) + "//>", None),
+-            ("&" * 50000, "&" * 9 + "…"),
++            ("</a" + "\t" * (max_len - 6) + "//>", None),
++            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"),
++            ("&" * bigger_len, "&" * 9 + "…"),
+             ("_X<<<<<<<<<<<>", None),
++            (valid_html * bigger_len, "<p>Joel is a…</p>"),  # 10 chars
+         ]
+         for value, expected in perf_test_values:
+             with self.subTest(value=value):
+@@ -176,15 +183,25 @@ class TestUtilsText(SimpleTestCase):
+         truncator = text.Truncator("<p>I &lt;3 python, what about you?</p>")
+         self.assertEqual("<p>I &lt;3 python,…</p>", truncator.words(3, html=True))
+ 
++    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
++    def test_truncate_words_html_size_limit(self):
++        max_len = text.Truncator.MAX_LENGTH_HTML
++        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
++        valid_html = "<p>Joel is a slug</p>"  # 4 words
+         perf_test_values = [
+-            ("</a" + "\t" * 50000) + "//>",
+-            "&" * 50000,
+-            "_X<<<<<<<<<<<>",
++            ("</a" + "\t" * (max_len - 6) + "//>", None),
++            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"),
++            ("&" * max_len, None),  # no change
++            ("&" * bigger_len, "&" * max_len + "…"),
++            ("_X<<<<<<<<<<<>", None),
++            (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"),  # 50 words
+         ]
+-        for value in perf_test_values:
++        for value, expected in perf_test_values:
+             with self.subTest(value=value):
+                 truncator = text.Truncator(value)
+-                self.assertEqual(value, truncator.words(50, html=True))
++                self.assertEqual(
++                    expected if expected else value, truncator.words(50, html=True)
++                )
+ 
+     def test_wrap(self):
+         digits = "1234 67 9"
+-- 
+2.30.0
+
diff --git a/python-django.spec b/python-django.spec
index 56be6b6..b7eef5f 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -1,12 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.2.3
-Release:	2
+Release:	3
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
 Source0:        https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca76c8b670ef247583349a8f5241cdb3c98eeb92726ff/Django-4.2.3.tar.gz
 Patch0:         CVE-2023-41164.patch
+# https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
+Patch1:         CVE-2023-43665.patch
 
 BuildArch:	noarch
 %description
@@ -73,6 +75,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Sun Oct 08 2023 yaoxin <yao_xin001@hoperun.com> - 4.2.3-3
+- Fix CVE-2023-43665
+
 * Thu Sep 14 2023 wangkai <13474090681@163.com> - 4.2.3-2
 - Fix CVE-2023-41164