!82 Fix CVE-2023-46695

From: @starlet-dx Reviewed-by: @cherry530 Signed-off-by: @cherry530
2023-11-06 07:17:40 +00:00 · 2023-11-06 07:17:40 +00:00 · eaadec47e6
commit eaadec47e6
parent 5d7d509507 10b8226082
2 changed files with 67 additions and 1 deletions
--- a/CVE-2023-46695.patch
+++ b/CVE-2023-46695.patch
@ -0,0 +1,61 @@
+From 048a9ebb6ea468426cb4e57c71572cbbd975517f Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Tue, 17 Oct 2023 11:48:32 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in
+ UsernameField on Windows.
+
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+---
+ django/contrib/auth/forms.py   | 10 +++++++++-
+ tests/auth_tests/test_forms.py |  7 +++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index eaae0bf..061dc81 100644
+--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
+@@ -71,7 +71,15 @@ class ReadOnlyPasswordHashField(forms.Field):
+ 
+ class UsernameField(forms.CharField):
+     def to_python(self, value):
+-        return unicodedata.normalize("NFKC", super().to_python(value))
+        value = super().to_python(value)
+        if self.max_length is not None and len(value) > self.max_length:
+            # Normalization can increase the string length (e.g.
+            # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+            # point in normalizing invalid data. Moreover, Unicode
+            # normalization is very slow on Windows and can be a DoS attack
+            # vector.
+            return value
+        return unicodedata.normalize("NFKC", value)
+ 
+     def widget_attrs(self, widget):
+         return {
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index 7a80adb..81c56a4 100644
+--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
+@@ -14,6 +14,7 @@ from django.contrib.auth.forms import (
+     SetPasswordForm,
+     UserChangeForm,
+     UserCreationForm,
+    UsernameField,
+ )
+ from django.contrib.auth.models import User
+ from django.contrib.auth.signals import user_login_failed
+@@ -154,6 +155,12 @@ class BaseUserCreationFormTest(TestDataMixin, TestCase):
+         self.assertNotEqual(user.username, ohm_username)
+         self.assertEqual(user.username, "testΩ")  # U+03A9 GREEK CAPITAL LETTER OMEGA
+ 
+    def test_invalid_username_no_normalize(self):
+        field = UsernameField(max_length=254)
+        # Usernames are not normalized if they are too long.
+        self.assertEqual(field.to_python("½" * 255), "½" * 255)
+        self.assertEqual(field.to_python("ﬀ" * 254), "ff" * 254)
+
+     def test_duplicate_normalized_unicode(self):
+         """
+         To prevent almost identical usernames, visually identical but differing
+-- 
+2.30.0
+
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.2.3
-Release:	3
+Release:	4
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@ -9,6 +9,8 @@ Source0:        https://files.pythonhosted.org/packages/36/24/d0e78e667f98efcca7
 Patch0:         CVE-2023-41164.patch
 # https://github.com/django/django/commit/be9c27c4d18c2e6a5be8af4e53c0797440794473
 Patch1:         CVE-2023-43665.patch
+# https://github.com/django/django/commit/048a9ebb6ea468426cb4e57c71572cbbd975517f
+Patch2:         CVE-2023-46695.patch

 BuildArch:	noarch
 %description
@ -75,6 +77,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Mon Nov 06 2023 yaoxin <yao_xin001@hoperun.com> - 4.2.3-4
+- Fix CVE-2023-46695
+
 * Sun Oct 08 2023 yaoxin <yao_xin001@hoperun.com> - 4.2.3-3
 - Fix CVE-2023-43665