packages/python-django
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!67 Fix CVE-2023-41164

Browse Source 
From: @wk333 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2023-09-15 01:17:05 +00:00 committed by Gitee
commit b015139876
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 90 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
CVE-2023-41164.patch Normal file
View File

@ -0,0 +1,85 @@
From 9c51b4dcfa0cefcb48231f4d71cafa80821f87b9 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Tue, 22 Aug 2023 08:53:03 +0200
Subject: [PATCH] [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in
django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
Origin: https://github.com/django/django/commit/9c51b4dcfa0cefcb48231f4d71cafa80821f87b9
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
---
django/utils/encoding.py | 6 ++++--
docs/releases/3.2.21.txt | 7 ++++++-
docs/releases/4.1.11.txt | 7 ++++++-
docs/releases/4.2.5.txt | 7 +++++++
tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++-
5 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/django/utils/encoding.py b/django/utils/encoding.py
index 43847b538510..23473930fd96 100644
--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
@@ -219,6 +219,7 @@ def repercent_broken_unicode(path):
repercent-encode any octet produced that is not part of a strictly legal
UTF-8 octet sequence.
"""
+ changed_parts = []
while True:
try:
path.decode()
@@ -226,9 +227,10 @@ def repercent_broken_unicode(path):
# CVE-2019-14235: A recursion shouldn't be used since the exception
# handling uses massive amounts of memory
repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
- path = path[: e.start] + repercent.encode() + path[e.end :]
+ changed_parts.append(path[: e.start] + repercent.encode())
+ path = path[e.end :]
else:
- return path
+ return b"".join(changed_parts) + path
def filepath_to_uri(path):
diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py
index 6dea260b841b..2b52b1607c97 100644
--- a/tests/utils_tests/test_encoding.py
+++ b/tests/utils_tests/test_encoding.py
@@ -1,9 +1,10 @@
import datetime
+import inspect
import sys
import unittest
from pathlib import Path
from unittest import mock
-from urllib.parse import quote_plus
+from urllib.parse import quote, quote_plus
from django.test import SimpleTestCase
from django.utils.encoding import (
@@ -120,6 +121,24 @@ def test_repercent_broken_unicode_recursion_error(self):
except RecursionError:
self.fail("Unexpected RecursionError raised.")
+ def test_repercent_broken_unicode_small_fragments(self):
+ data = b"test\xfctest\xfctest\xfc"
+ decoded_paths = []
+
+ def mock_quote(*args, **kwargs):
+ # The second frame is the call to repercent_broken_unicode().
+ decoded_paths.append(inspect.currentframe().f_back.f_locals["path"])
+ return quote(*args, **kwargs)
+
+ with mock.patch("django.utils.encoding.quote", mock_quote):
+ self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC")
+
+ # decode() is called on smaller fragment of the path each time.
+ self.assertEqual(
+ decoded_paths,
+ [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"],
+ )
+
class TestRFC3987IEncodingUtils(unittest.TestCase):
def test_filepath_to_uri(self):

6
python-django.spec
View File

@ -1,11 +1,12 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-django Name: python-django
Version: 4.2.3 Version: 4.2.3
Release: 1 Release: 2
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
License: Apache-2.0 and Python-2.0 and BSD-3-Clause License: Apache-2.0 and Python-2.0 and BSD-3-Clause
URL: https://www.djangoproject.com/ URL: https://www.djangoproject.com/
Source0: https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca76c8b670ef247583349a8f5241cdb3c98eeb92726ff/Django-4.2.3.tar.gz Source0: https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca76c8b670ef247583349a8f5241cdb3c98eeb92726ff/Django-4.2.3.tar.gz
Patch0: CVE-2023-41164.patch
BuildArch: noarch BuildArch: noarch
%description %description
@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Thu Sep 14 2023 wangkai <13474090681@163.com> - 4.2.3-2
- Fix CVE-2023-41164
* Tue Jul 11 2023 chenzixuan <chenzixuan@kylinos.cn> - 4.2.3-1 * Tue Jul 11 2023 chenzixuan <chenzixuan@kylinos.cn> - 4.2.3-1
- Update to 4.2.3 - Update to 4.2.3