From 34ce7e01bec9ad7b26430db4d5cfdcf3acc72c86 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 5 Mar 2024 20:09:45 +0800 Subject: [PATCH] Fix CVE-2024-27351 (cherry picked from commit f2bf9ce08d0be35719567a094af6f82a7cdf6908) --- CVE-2024-27351.patch | 122 +++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 7 ++- 2 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-27351.patch diff --git a/CVE-2024-27351.patch b/CVE-2024-27351.patch new file mode 100644 index 0000000..d466e39 --- /dev/null +++ b/CVE-2024-27351.patch @@ -0,0 +1,122 @@ +From 072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Mon Sep 17 00:00:00 2001 +From: Shai Berger +Date: Mon, 19 Feb 2024 13:56:37 +0100 +Subject: [PATCH] [3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in + Truncator.words(). + +Thanks Seokchan Yoon for the report. + +Co-Authored-By: Mariusz Felisiak +--- + django/utils/text.py | 57 ++++++++++++++++++++++++++++++++-- + tests/utils_tests/test_text.py | 26 ++++++++++++++++ + 2 files changed, 81 insertions(+), 2 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 06a377b..6631a00 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -15,8 +15,61 @@ def capfirst(x): + return x and str(x)[0].upper() + str(x)[1:] + + +-# Set up regular expressions +-re_words = re.compile(r'<[^>]+?>|([^<>\s]+)', re.S) ++# ----- Begin security-related performance workaround ----- ++ ++# We used to have, below ++# ++# re_words = re.compile(r"<[^>]+?>|([^<>\s]+)", re.S) ++# ++# But it was shown that this regex, in the way we use it here, has some ++# catastrophic edge-case performance features. Namely, when it is applied to ++# text with only open brackets "<<<...". The class below provides the services ++# and correct answers for the use cases, but in these edge cases does it much ++# faster. ++re_notag = re.compile(r"([^<>\s]+)", re.S) ++re_prt = re.compile(r"<|([^<>\s]+)", re.S) ++ ++ ++class WordsRegex: ++ @staticmethod ++ def search(text, pos): ++ # Look for "<" or a non-tag word. ++ partial = re_prt.search(text, pos) ++ if partial is None or partial[1] is not None: ++ return partial ++ ++ # "<" was found, look for a closing ">". ++ end = text.find(">", partial.end(0)) ++ if end < 0: ++ # ">" cannot be found, look for a word. ++ return re_notag.search(text, pos + 1) ++ else: ++ # "<" followed by a ">" was found -- fake a match. ++ end += 1 ++ return FakeMatch(text[partial.start(0): end], end) ++ ++ ++class FakeMatch: ++ __slots__ = ["_text", "_end"] ++ ++ def end(self, group=0): ++ assert group == 0, "This specific object takes only group=0" ++ return self._end ++ ++ def __getitem__(self, group): ++ if group == 1: ++ return None ++ assert group == 0, "This specific object takes only group in {0,1}" ++ return self._text ++ ++ def __init__(self, text, end): ++ self._text, self._end = text, end ++ ++ ++# ----- End security-related performance workaround ----- ++ ++# Set up regular expressions. ++re_words = WordsRegex + re_chars = re.compile(r'<[^>]+?>|(.)', re.S) + re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S) + re_newlines = re.compile(r'\r\n|\r') # Used in normalize_newlines +diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py +index cb3063d..7e9f2b3 100644 +--- a/tests/utils_tests/test_text.py ++++ b/tests/utils_tests/test_text.py +@@ -156,6 +156,32 @@ class TestUtilsText(SimpleTestCase): + truncator = text.Truncator('

I <3 python, what about you?

') + self.assertEqual('

I <3 python,…

', truncator.words(3, html=True)) + ++ # Only open brackets. ++ test = "<" * 60_000 ++ truncator = text.Truncator(test) ++ self.assertEqual(truncator.words(1, html=True), test) ++ ++ # Tags with special chars in attrs. ++ truncator = text.Truncator( ++ """Hello, my dear lady!""" ++ ) ++ self.assertEqual( ++ """Hello, my dear…""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Tags with special non-latin chars in attrs. ++ truncator = text.Truncator("""

Hello, my dear lady!

""") ++ self.assertEqual( ++ """

Hello, my dear…

""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Misplaced brackets. ++ truncator = text.Truncator("hello >< world") ++ self.assertEqual(truncator.words(1, html=True), "hello…") ++ self.assertEqual(truncator.words(2, html=True), "hello >< world") ++ + @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) + def test_truncate_words_html_size_limit(self): + max_len = text.Truncator.MAX_LENGTH_HTML +-- +2.33.0 + diff --git a/python-django.spec b/python-django.spec index 8a582b2..16cfb51 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 2.2.27 -Release: 10 +Release: 11 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT URL: https://www.djangoproject.com/ @@ -23,6 +23,8 @@ Patch7: CVE-2023-43665.patch Patch8: CVE-2023-46695.patch # https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820 Patch9: CVE-2024-24680.patch +# https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 +Patch10: CVE-2024-27351.patch BuildArch: noarch %description @@ -89,6 +91,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Tue Mar 05 2024 yaoxin - 2.2.27-11 +- Fix CVE-2024-27351 + * Wed Feb 07 2024 yaoxin - 2.2.27-10 - Fix CVE-2024-24680 -- Gitee