diff --git a/CVE-2023-41164.patch b/CVE-2023-41164.patch new file mode 100644 index 0000000..f0071a3 --- /dev/null +++ b/CVE-2023-41164.patch @@ -0,0 +1,85 @@ +From 9c51b4dcfa0cefcb48231f4d71cafa80821f87b9 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Tue, 22 Aug 2023 08:53:03 +0200 +Subject: [PATCH] [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in + django.utils.encoding.uri_to_iri(). + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. + +Origin: https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9 + +Co-authored-by: nessita <124304+nessita@users.noreply.github.com> +--- + django/utils/encoding.py | 6 ++++-- + docs/releases/3.2.21.txt | 7 ++++++- + docs/releases/4.1.11.txt | 7 ++++++- + docs/releases/4.2.5.txt | 7 +++++++ + tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++- + 5 files changed, 43 insertions(+), 5 deletions(-) + +diff --git a/django/utils/encoding.py b/django/utils/encoding.py +index 43847b538510..23473930fd96 100644 +--- a/django/utils/encoding.py ++++ b/django/utils/encoding.py +@@ -219,6 +219,7 @@ def repercent_broken_unicode(path): + repercent-encode any octet produced that is not part of a strictly legal + UTF-8 octet sequence. + """ ++ changed_parts = [] + while True: + try: + path.decode() +@@ -226,9 +227,10 @@ def repercent_broken_unicode(path): + # CVE-2019-14235: A recursion shouldn't be used since the exception + # handling uses massive amounts of memory + repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~") +- path = path[: e.start] + repercent.encode() + path[e.end :] ++ changed_parts.append(path[: e.start] + repercent.encode()) ++ path = path[e.end :] + else: +- return path ++ return b"".join(changed_parts) + path + + + def filepath_to_uri(path): +diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py +index 6dea260b841b..2b52b1607c97 100644 +--- a/tests/utils_tests/test_encoding.py ++++ b/tests/utils_tests/test_encoding.py +@@ -1,9 +1,10 @@ + import datetime ++import inspect + import sys + import unittest + from pathlib import Path + from unittest import mock +-from urllib.parse import quote_plus ++from urllib.parse import quote, quote_plus + + from django.test import SimpleTestCase + from django.utils.encoding import ( +@@ -120,6 +121,24 @@ def test_repercent_broken_unicode_recursion_error(self): + except RecursionError: + self.fail("Unexpected RecursionError raised.") + ++ def test_repercent_broken_unicode_small_fragments(self): ++ data = b"test\xfctest\xfctest\xfc" ++ decoded_paths = [] ++ ++ def mock_quote(*args, **kwargs): ++ # The second frame is the call to repercent_broken_unicode(). ++ decoded_paths.append(inspect.currentframe().f_back.f_locals["path"]) ++ return quote(*args, **kwargs) ++ ++ with mock.patch("django.utils.encoding.quote", mock_quote): ++ self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC") ++ ++ # decode() is called on smaller fragment of the path each time. ++ self.assertEqual( ++ decoded_paths, ++ [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"], ++ ) ++ + + class TestRFC3987IEncodingUtils(unittest.TestCase): + def test_filepath_to_uri(self): diff --git a/python-django.spec b/python-django.spec index 86d1e07..56be6b6 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,11 +1,12 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 4.2.3 -Release: 1 +Release: 2 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ Source0: https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca76c8b670ef247583349a8f5241cdb3c98eeb92726ff/Django-4.2.3.tar.gz +Patch0: CVE-2023-41164.patch BuildArch: noarch %description @@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Thu Sep 14 2023 wangkai <13474090681@163.com> - 4.2.3-2 +- Fix CVE-2023-41164 + * Tue Jul 11 2023 chenzixuan - 4.2.3-1 - Update to 4.2.3