!32 Upgrade package to version 4.1.4

From: @ccdxx 
Reviewed-by: @shinwell_hu 
Signed-off-by: @shinwell_hu

CVE-2022-34265.patch

@@ -1,21 +1,6 @@
-From a9010fe5555e6086a9d9ae50069579400ef0685e Mon Sep 17 00:00:00 2001
-From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
-Date: Wed, 22 Jun 2022 12:44:04 +0200
-Subject: [PATCH] [3.2.x] Fixed CVE-2022-34265 -- Protected
- Trunc(kind)/Extract(lookup_name) against SQL injection.
-
-Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
----
- django/db/backends/base/operations.py         |  3 ++
- django/db/models/functions/datetime.py        |  4 +++
- docs/releases/3.2.14.txt                      | 11 ++++++
- .../datetime/test_extract_trunc.py            | 34 +++++++++++++++++++
- 4 files changed, 52 insertions(+)
-
-diff --git a/django/db/backends/base/operations.py b/django/db/backends/base/operations.py
-index 0fcc607bcfb0..cdcd9885ba27 100644
---- a/django/db/backends/base/operations.py
-+++ b/django/db/backends/base/operations.py
+diff -Naur a/django/db/backends/base/operations.py b/django/db/backends/base/operations.py
+--- a/django/db/backends/base/operations.py	2022-12-06 17:12:38.000000000 +0800
++++ b/django/db/backends/base/operations.py	2022-12-09 11:49:05.347986919 +0800
 @@ -9,6 +9,7 @@
  from django.db.backends import utils
  from django.utils import timezone
@@ -24,20 +9,19 @@ index 0fcc607bcfb0..cdcd9885ba27 100644
  
  
  class BaseDatabaseOperations:
-@@ -53,6 +54,8 @@ class BaseDatabaseOperations:
+@@ -53,6 +54,8 @@
+ 
      # Prefix for EXPLAIN queries, or None EXPLAIN isn't supported.
      explain_prefix = None
- 
 +    extract_trunc_lookup_pattern = _lazy_re_compile(r"[\w\-_()]+")
 +
+ 
      def __init__(self, connection):
          self.connection = connection
-         self._cache = None
-diff --git a/django/db/models/functions/datetime.py b/django/db/models/functions/datetime.py
-index 90e6f41be057..47651d281f19 100644
---- a/django/db/models/functions/datetime.py
-+++ b/django/db/models/functions/datetime.py
-@@ -41,6 +41,8 @@ def __init__(self, expression, lookup_name=None, tzinfo=None, **extra):
+diff -Naur a/django/db/models/functions/datetime.py b/django/db/models/functions/datetime.py
+--- a/django/db/models/functions/datetime.py	2022-12-06 17:12:38.000000000 +0800
++++ b/django/db/models/functions/datetime.py	2022-12-09 11:50:50.011981885 +0800
+@@ -51,6 +51,8 @@
          super().__init__(expression, **extra)
  
      def as_sql(self, compiler, connection):
@@ -46,64 +30,12 @@ index 90e6f41be057..47651d281f19 100644
          sql, params = compiler.compile(self.lhs)
          lhs_output_field = self.lhs.output_field
          if isinstance(lhs_output_field, DateTimeField):
-@@ -192,6 +194,8 @@ def __init__(self, expression, output_field=None, tzinfo=None, is_dst=None, **ex
+@@ -243,6 +245,8 @@
          super().__init__(expression, output_field=output_field, **extra)
  
      def as_sql(self, compiler, connection):
 +        if not connection.ops.extract_trunc_lookup_pattern.fullmatch(self.kind):
 +            raise ValueError("Invalid kind: %s" % self.kind)
-         inner_sql, inner_params = compiler.compile(self.lhs)
+         sql, params = compiler.compile(self.lhs)
          tzname = None
          if isinstance(self.lhs.output_field, DateTimeField):
-diff --git a/tests/db_functions/datetime/test_extract_trunc.py b/tests/db_functions/datetime/test_extract_trunc.py
-index 258600127f93..27ed3ae63ee5 100644
---- a/tests/db_functions/datetime/test_extract_trunc.py
-+++ b/tests/db_functions/datetime/test_extract_trunc.py
-@@ -177,6 +177,23 @@ def test_extract_year_lessthan_lookup(self):
-                 self.assertEqual(qs.count(), 1)
-                 self.assertGreaterEqual(str(qs.query).lower().count('extract'), 2)
- 
-+    def test_extract_lookup_name_sql_injection(self):
-+        start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
-+        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
-+        if settings.USE_TZ:
-+            start_datetime = timezone.make_aware(start_datetime)
-+            end_datetime = timezone.make_aware(end_datetime)
-+        self.create_model(start_datetime, end_datetime)
-+        self.create_model(end_datetime, start_datetime)
-+
-+        msg = "Invalid lookup_name: "
-+        with self.assertRaisesMessage(ValueError, msg):
-+            DTModel.objects.filter(
-+                start_datetime__year=Extract(
-+                    "start_datetime", "day' FROM start_datetime)) OR 1=1;--"
-+                )
-+            ).exists()
-+
-     def test_extract_func(self):
-         start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
-         end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
-@@ -620,6 +637,23 @@ def test_extract_second_func(self):
-         )
-         self.assertEqual(DTModel.objects.filter(start_datetime__second=ExtractSecond('start_datetime')).count(), 2)
- 
-+    def test_trunc_lookup_name_sql_injection(self):
-+        start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
-+        end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
-+        if settings.USE_TZ:
-+            start_datetime = timezone.make_aware(start_datetime)
-+            end_datetime = timezone.make_aware(end_datetime)
-+        self.create_model(start_datetime, end_datetime)
-+        self.create_model(end_datetime, start_datetime)
-+        msg = "Invalid kind: "
-+        with self.assertRaisesMessage(ValueError, msg):
-+            DTModel.objects.filter(
-+                start_datetime__date=Trunc(
-+                    "start_datetime",
-+                    "year', start_datetime)) OR 1=1;--",
-+                )
-+            ).exists()
-+
-     def test_trunc_func(self):
-         start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
-         end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)

backport-CVE-2022-36359.patch

@@ -1,74 +0,0 @@
-From 8c5a1dfe34ea52cc2af21064a8654bfaa8b7a012 Mon Sep 17 00:00:00 2001
-From: Carlton Gibson <carlton.gibson@noumenal.es>
-Date: Wed, 27 Jul 2022 10:27:42 +0200
-Subject: [PATCH] [3.2.x] Fixed CVE-2022-36359: Escaped filename in
- Content-Disposition header.
-
-Thanks to Motoyasu Saburi for the report.
----
- django/http/response.py              |  4 +++-
- docs/releases/3.2.15.txt             |  8 ++++++-
- tests/responses/test_fileresponse.py | 35 ++++++++++++++++++++++++++++
- 3 files changed, 45 insertions(+), 2 deletions(-)
-
-diff --git a/django/http/response.py b/django/http/response.py
-index 1c22edaff3..73f87d7bda 100644
---- a/django/http/response.py
-+++ b/django/http/response.py
-@@ -485,7 +485,9 @@ class FileResponse(StreamingHttpResponse):
-             disposition = 'attachment' if self.as_attachment else 'inline'
-             try:
-                 filename.encode('ascii')
--                file_expr = 'filename="{}"'.format(filename)
-+                file_expr = 'filename="{}"'.format(
-+                    filename.replace('\\', '\\\\').replace('"', r'\"')
-+                )
-             except UnicodeEncodeError:
-                 file_expr = "filename*=utf-8''{}".format(quote(filename))
-             self.headers['Content-Disposition'] = '{}; {}'.format(disposition, file_expr)
-diff --git a/tests/responses/test_fileresponse.py b/tests/responses/test_fileresponse.py
-index 46d407bdf5..b4ef82ef3e 100644
---- a/tests/responses/test_fileresponse.py
-+++ b/tests/responses/test_fileresponse.py
-@@ -89,3 +89,38 @@ class FileResponseTests(SimpleTestCase):
-             response.headers['Content-Disposition'],
-             "attachment; filename*=utf-8''%E7%A5%9D%E6%82%A8%E5%B9%B3%E5%AE%89.odt"
-         )
-+
-+    def test_content_disposition_escaping(self):
-+        # fmt: off
-+        tests = [
-+            (
-+                'multi-part-one";\" dummy".txt',
-+                r"multi-part-one\";\" dummy\".txt"
-+            ),
-+        ]
-+        # fmt: on
-+        # Non-escape sequence backslashes are path segments on Windows, and are
-+        # eliminated by an os.path.basename() check in FileResponse.
-+        if sys.platform != "win32":
-+            # fmt: off
-+            tests += [
-+                (
-+                    'multi-part-one\\";\" dummy".txt',
-+                    r"multi-part-one\\\";\" dummy\".txt"
-+                ),
-+                (
-+                    'multi-part-one\\";\\\" dummy".txt',
-+                    r"multi-part-one\\\";\\\" dummy\".txt"
-+                )
-+            ]
-+            # fmt: on
-+        for filename, escaped in tests:
-+            with self.subTest(filename=filename, escaped=escaped):
-+                response = FileResponse(
-+                    io.BytesIO(b"binary content"), filename=filename, as_attachment=True
-+                )
-+                response.close()
-+                self.assertEqual(
-+                    response.headers["Content-Disposition"],
-+                    f'attachment; filename="{escaped}"',
-+                )
--- 
-2.36.1
-

python-django.spec

@@ -1,14 +1,13 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
-Version:	3.2.12
-Release:	3
+Version:	4.1.4
+Release:	1
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
-Source0:	https://github.com/django/django/archive/refs/tags/3.2.12.tar.gz
+Source0:	https://github.com/django/django/archive/refs/tags/4.1.4.tar.gz
 #https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
 Patch0:         CVE-2022-34265.patch
-Patch1:         backport-CVE-2022-36359.patch
 
 
 BuildArch:	noarch
@@ -76,6 +75,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Fri Dec 09 2022 chendexi <chendexi@kylinos.cn> - 4.1.4-1
+- Upgrade package to version 4.1.4
+
 * Tue Aug 09 2022 huangduirong <huangduirong@huawei.com> - 3.2.12-3
 - Type: bugfix
 - CVE: CVE-2022-36359