Fix CVE-2024-45230 CVE-2024-45231

(cherry picked from commit 2f48f14416679bfd07bd526077f002e97ed67b76)

CVE-2024-45230.patch

@@ -0,0 +1,135 @@
+From d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Mon, 12 Aug 2024 15:17:57 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in
+ urlize and urlizetrunc template filters.
+
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+---
+ django/utils/html.py                          | 17 ++++++++------
+ docs/ref/templates/builtins.txt               | 11 ++++++++++
+ docs/releases/4.2.16.txt                      | 14 ++++++++++++
+ .../filter_tests/test_urlize.py               | 22 +++++++++++++++++++
+ tests/utils_tests/test_html.py                |  1 +
+ 5 files changed, 58 insertions(+), 7 deletions(-)
+ create mode 100644 docs/releases/4.2.16.txt
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index 23575d3..df38c20 100644
+--- a/django/utils/html.py
++++ b/django/utils/html.py
+@@ -395,14 +395,17 @@ class Urlizer:
+                 potential_entity = middle[amp:]
+                 escaped = html.unescape(potential_entity)
+                 if escaped == potential_entity or escaped.endswith(";"):
+-                    rstripped = middle.rstrip(";")
+-                    amount_stripped = len(middle) - len(rstripped)
+-                    if amp > -1 and amount_stripped > 1:
+-                        # Leave a trailing semicolon as might be an entity.
+-                        trail = middle[len(rstripped) + 1 :] + trail
+-                        middle = rstripped + ";"
++                    rstripped = middle.rstrip(self.trailing_punctuation_chars)
++                    trail_start = len(rstripped)
++                    amount_trailing_semicolons = len(middle) - len(middle.rstrip(";"))
++                    if amp > -1 and amount_trailing_semicolons > 1:
++                        # Leave up to most recent semicolon as might be an entity.
++                        recent_semicolon = middle[trail_start:].index(";")
++                        middle_semicolon_index = recent_semicolon + trail_start + 1
++                        trail = middle[middle_semicolon_index:] + trail
++                        middle = rstripped + middle[trail_start:middle_semicolon_index]
+                     else:
+-                        trail = middle[len(rstripped) :] + trail
++                        trail = middle[trail_start:] + trail
+                         middle = rstripped
+                     trimmed_something = True
+ 
+diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
+index 39aa398..dda5b42 100644
+--- a/docs/ref/templates/builtins.txt
++++ b/docs/ref/templates/builtins.txt
+@@ -2831,6 +2831,17 @@ Django's built-in :tfilter:`escape` filter. The default value for
+     email addresses that contain single quotes (``'``), things won't work as
+     expected. Apply this filter only to plain text.
+ 
++.. warning::
++
++    Using ``urlize`` or ``urlizetrunc`` can incur a performance penalty, which
++    can become severe when applied to user controlled values such as content
++    stored in a :class:`~django.db.models.TextField`. You can use
++    :tfilter:`truncatechars` to add a limit to such inputs:
++
++    .. code-block:: html+django
++
++        {{ value|truncatechars:500|urlize }}
++
+ .. templatefilter:: urlizetrunc
+ 
+ ``urlizetrunc``
+diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
+new file mode 100644
+index 0000000..b624d5c
+--- /dev/null
++++ b/docs/releases/4.2.16.txt
+@@ -0,0 +1,14 @@
++===========================
++Django 4.2.16 release notes
++===========================
++*September 3, 2024*
++Django 4.2.16 fixes one security issue with severity "moderate" and one
++security issue with severity "low" in 4.2.15.
++
++...
++CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html.urlize()``
++===========================================================================================
++
++:tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
++denial-of-service attack via very large inputs with a specific sequence of
++characters.
+diff --git a/tests/template_tests/filter_tests/test_urlize.py b/tests/template_tests/filter_tests/test_urlize.py
+index abc227b..e542802 100644
+--- a/tests/template_tests/filter_tests/test_urlize.py
++++ b/tests/template_tests/filter_tests/test_urlize.py
+@@ -305,6 +305,28 @@ class FunctionTests(SimpleTestCase):
+             "http://testing.com/example</a>.,:;)&quot;!",
+         )
+ 
++    def test_trailing_semicolon(self):
++        self.assertEqual(
++            urlize("http://example.com?x=&amp;", autoescape=False),
++            '<a href="http://example.com?x=" rel="nofollow">'
++            "http://example.com?x=&amp;</a>",
++        )
++        self.assertEqual(
++            urlize("http://example.com?x=&amp;;", autoescape=False),
++            '<a href="http://example.com?x=" rel="nofollow">'
++            "http://example.com?x=&amp;</a>;",
++        )
++        self.assertEqual(
++            urlize("http://example.com?x=&amp;;;", autoescape=False),
++            '<a href="http://example.com?x=" rel="nofollow">'
++            "http://example.com?x=&amp;</a>;;",
++        )
++        self.assertEqual(
++            urlize("http://example.com?x=&amp.;...;", autoescape=False),
++            '<a href="http://example.com?x=" rel="nofollow">'
++            "http://example.com?x=&amp</a>.;...;",
++        )
++
+     def test_brackets(self):
+         """
+         #19070 - Check urlize handles brackets properly
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 83ebe43..7ff5020 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -364,6 +364,7 @@ class TestUtilsHtml(SimpleTestCase):
+             "&:" + ";" * 100_000,
+             "&.;" * 100_000,
+             ".;" * 100_000,
++            "&" + ";:" * 100_000,
+         )
+         for value in tests:
+             with self.subTest(value=value):
+-- 
+2.43.0
+

CVE-2024-45231.patch

@@ -0,0 +1,159 @@
+From bf4888d317ba4506d091eeac6e8b4f1fcc731199 Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Mon, 19 Aug 2024 14:47:38 -0300
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on
+ password reset when email sending fails.
+
+On successful submission of a password reset request, an email is sent
+to the accounts known to the system. If sending this email fails (due to
+email backend misconfiguration, service provider outage, network issues,
+etc.), an attacker might exploit this by detecting which password reset
+requests succeed and which ones generate a 500 error response.
+
+Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
+Johnson, and Sarah Boyce for the reviews.
+---
+ django/contrib/auth/forms.py   |  9 ++++++++-
+ docs/ref/logging.txt           | 12 ++++++++++++
+ docs/releases/4.2.16.txt       | 11 +++++++++++
+ docs/topics/auth/default.txt   |  4 +++-
+ tests/auth_tests/test_forms.py | 21 +++++++++++++++++++++
+ tests/mail/custombackend.py    |  5 +++++
+ 6 files changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index 061dc81b42..7f85787f03 100644
+--- a/django/contrib/auth/forms.py
++++ b/django/contrib/auth/forms.py
+@@ -1,3 +1,4 @@
++import logging
+ import unicodedata
+ 
+ from django import forms
+@@ -16,6 +17,7 @@ from django.utils.translation import gettext
+ from django.utils.translation import gettext_lazy as _
+ 
+ UserModel = get_user_model()
++logger = logging.getLogger("django.contrib.auth")
+ 
+ 
+ def _unicode_ci_compare(s1, s2):
+@@ -314,7 +316,12 @@ class PasswordResetForm(forms.Form):
+             html_email = loader.render_to_string(html_email_template_name, context)
+             email_message.attach_alternative(html_email, "text/html")
+ 
+-        email_message.send()
++        try:
++            email_message.send()
++        except Exception:
++            logger.exception(
++                "Failed to send password reset email to %s", context["user"].pk
++            )
+ 
+     def get_users(self, email):
+         """Given an email, return matching user(s) who should receive a reset.
+diff --git a/docs/ref/logging.txt b/docs/ref/logging.txt
+index b11fb752f7..3d33e0af63 100644
+--- a/docs/ref/logging.txt
++++ b/docs/ref/logging.txt
+@@ -204,6 +204,18 @@ all database queries.
+     Support for logging transaction management queries (``BEGIN``, ``COMMIT``,
+     and ``ROLLBACK``) was added.
+ 
++.. _django-contrib-auth-logger:
++
++``django.contrib.auth``
++~~~~~~~~~~~~~~~~~~~~~~~
++
++.. versionadded:: 4.2.16
++
++Log messages related to :doc:`contrib/auth`, particularly ``ERROR`` messages
++are generated when a :class:`~django.contrib.auth.forms.PasswordResetForm` is
++successfully submitted but the password reset email cannot be delivered due to
++a mail sending exception.
++
+ .. _django-security-logger:
+ 
+ ``django.security.*``
+diff --git a/docs/releases/4.2.16.txt b/docs/releases/4.2.16.txt
+index 2a84186867..963036345c 100644
+--- a/docs/releases/4.2.16.txt
++++ b/docs/releases/4.2.16.txt
+@@ -13,3 +13,14 @@ CVE-2024-45230: Potential denial-of-service vulnerability in ``django.utils.html
+ :tfilter:`urlize` and :tfilter:`urlizetrunc` were subject to a potential
+ denial-of-service attack via very large inputs with a specific sequence of
+ characters.
++
++CVE-2024-45231: Potential user email enumeration via response status on password reset
++======================================================================================
++
++Due to unhandled email sending failures, the
++:class:`~django.contrib.auth.forms.PasswordResetForm` class allowed remote
++attackers to enumerate user emails by issuing password reset requests and
++observing the outcomes.
++
++To mitigate this risk, exceptions occurring during password reset email sending
++are now handled and logged using the :ref:`django-contrib-auth-logger` logger.
+diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
+index 528902416d..ad840c5e57 100644
+--- a/docs/topics/auth/default.txt
++++ b/docs/topics/auth/default.txt
+@@ -1661,7 +1661,9 @@ provides several built-in forms located in :mod:`django.contrib.auth.forms`:
+     .. method:: send_mail(subject_template_name, email_template_name, context, from_email, to_email, html_email_template_name=None)
+ 
+         Uses the arguments to send an ``EmailMultiAlternatives``.
+-        Can be overridden to customize how the email is sent to the user.
++        Can be overridden to customize how the email is sent to the user. If
++        you choose to override this method, be mindful of handling potential
++        exceptions raised due to email sending failures.
+ 
+         :param subject_template_name: the template for the subject.
+         :param email_template_name: the template for the email body.
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index 81c56a428e..f068d347a9 100644
+--- a/tests/auth_tests/test_forms.py
++++ b/tests/auth_tests/test_forms.py
+@@ -1245,6 +1245,27 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
+             )
+         )
+ 
++    @override_settings(EMAIL_BACKEND="mail.custombackend.FailingEmailBackend")
++    def test_save_send_email_exceptions_are_catched_and_logged(self):
++        (user, username, email) = self.create_dummy_user()
++        form = PasswordResetForm({"email": email})
++        self.assertTrue(form.is_valid())
++
++        with self.assertLogs("django.contrib.auth", level=0) as cm:
++            form.save()
++
++        self.assertEqual(len(mail.outbox), 0)
++        self.assertEqual(len(cm.output), 1)
++        errors = cm.output[0].split("\n")
++        pk = user.pk
++        self.assertEqual(
++            errors[0],
++            f"ERROR:django.contrib.auth:Failed to send password reset email to {pk}",
++        )
++        self.assertEqual(
++            errors[-1], "ValueError: FailingEmailBackend is doomed to fail."
++        )
++
+     @override_settings(AUTH_USER_MODEL="auth_tests.CustomEmailField")
+     def test_custom_email_field(self):
+         email = "test@mail.com"
+diff --git a/tests/mail/custombackend.py b/tests/mail/custombackend.py
+index 14e7f077ba..c6c567b642 100644
+--- a/tests/mail/custombackend.py
++++ b/tests/mail/custombackend.py
+@@ -12,3 +12,8 @@ class EmailBackend(BaseEmailBackend):
+         # Messages are stored in an instance variable for testing.
+         self.test_outbox.extend(email_messages)
+         return len(email_messages)
++
++
++class FailingEmailBackend(BaseEmailBackend):
++    def send_messages(self, email_messages):
++        raise ValueError("FailingEmailBackend is doomed to fail.")
+-- 
+2.20.1
+

python-django.spec

@@ -1,11 +1,13 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.2.15
-Release:	1
+Release:	2
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
 Source0:        https://files.pythonhosted.org/packages/source/d/Django/Django-%{version}.tar.gz
+Patch0:		CVE-2024-45230.patch
+Patch1:		CVE-2024-45231.patch
 
 BuildArch:	noarch
 %description
@@ -72,6 +74,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Thu Oct 10 2024 zhangxianting <zhangxianting@uniontech.com> - 4.2.15-2
+- Fix CVE-2024-45230 CVE-2024-45231
+
 * Thu Aug 08 2024 yaoxin <yao_xin001@hoperun.com> - 4.2.15-1
 - Update to 4.2.15
   * CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()``