From 7c108739faacbc46c0f350a9f43cc6222dc48afd Mon Sep 17 00:00:00 2001
From: baiguo <baiguo@kylinos.cn>
Date: Thu, 11 Jul 2024 08:45:49 +0800
Subject: [PATCH]  Fixed CVE-2024-39614

---
 backport-0001-Fixed-CVE-2024-39614.patch | 132 +++++++++++++++++++++++
 python-django.spec                       |   6 +-
 2 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 backport-0001-Fixed-CVE-2024-39614.patch

diff --git a/backport-0001-Fixed-CVE-2024-39614.patch b/backport-0001-Fixed-CVE-2024-39614.patch
new file mode 100644
index 0000000..1d1c9bb
--- /dev/null
+++ b/backport-0001-Fixed-CVE-2024-39614.patch
@@ -0,0 +1,132 @@
+From 17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Wed, 26 Jun 2024 12:11:54 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in
+ get_supported_language_variant().
+
+---
+ django/utils/translation/trans_real.py | 25 ++++++++++++++++++++-----
+ docs/ref/utils.txt                     | 10 ++++++++++
+ tests/i18n/tests.py                    | 11 +++++++++++
+ 3 files changed, 41 insertions(+), 5 deletions(-)
+
+diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
+index 872c80b..6016075 100644
+--- a/django/utils/translation/trans_real.py
++++ b/django/utils/translation/trans_real.py
+@@ -31,9 +31,10 @@ _default = None
+ CONTEXT_SEPARATOR = "\x04"
+ 
+ # Maximum number of characters that will be parsed from the Accept-Language
+-# header to prevent possible denial of service or memory exhaustion attacks.
+-# About 10x longer than the longest value shown on MDN’s Accept-Language page.
+-ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
++# header or cookie to prevent possible denial of service or memory exhaustion
++# attacks. About 10x longer than the longest value shown on MDN’s
++# Accept-Language page.
++LANGUAGE_CODE_MAX_LENGTH = 500
+ 
+ # Format of Accept-Language header values. From RFC 9110 Sections 12.4.2 and
+ # 12.5.4, and RFC 5646 Section 2.1.
+@@ -497,11 +498,25 @@ def get_supported_language_variant(lang_code, strict=False):
+     If `strict` is False (the default), look for a country-specific variant
+     when neither the language code nor its generic variant is found.
+ 
++   The language code is truncated to a maximum length to avoid potential
++    denial of service attacks.
++
+     lru_cache should have a maxsize to prevent from memory exhaustion attacks,
+     as the provided language codes are taken from the HTTP request. See also
+     <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>.
+     """
+     if lang_code:
++        # Truncate the language code to a maximum length to avoid potential
++        # denial of service attacks.
++        if len(lang_code) > LANGUAGE_CODE_MAX_LENGTH:
++            if (
++                not strict
++                and (index := lang_code.rfind("-", 0, LANGUAGE_CODE_MAX_LENGTH)) > 0
++            ):
++                # There is a generic variant under the maximum length accepted length.
++                lang_code = lang_code[:index]
++            else:
++                raise ValueError("'lang_code' exceeds the maximum accepted length")        
+         # If 'zh-hant-tw' is not supported, try special fallback or subsequent
+         # language codes i.e. 'zh-hant' and 'zh'.
+         possible_lang_codes = [lang_code]
+@@ -625,13 +640,13 @@ def parse_accept_lang_header(lang_string):
+     functools.lru_cache() to avoid repetitive parsing of common header values.
+     """
+     # If the header value doesn't exceed the maximum allowed length, parse it.
+-    if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
++    if len(lang_string) <= LANGUAGE_CODE_MAX_LENGTH:    
+         return _parse_accept_lang_header(lang_string)
+ 
+     # If there is at least one comma in the value, parse up to the last comma
+     # before the max length, skipping any truncated parts at the end of the
+     # header value.
+-    if (index := lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)) > 0:
++    if (index := lang_string.rfind(",", 0, LANGUAGE_CODE_MAX_LENGTH)) > 0:    
+         return _parse_accept_lang_header(lang_string[:index])
+ 
+     # Don't attempt to parse if there is only one language-range value which is
+diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
+index b2b8266..8d365da 100644
+--- a/docs/ref/utils.txt
++++ b/docs/ref/utils.txt
+@@ -1155,6 +1155,11 @@ For a complete discussion on the usage of the following see the
+     ``lang_code`` is ``'es-ar'`` and ``'es'`` is in :setting:`LANGUAGES` but
+     ``'es-ar'`` isn't.
+ 
++    ``lang_code`` has a maximum accepted length of 500 characters. A
++    :exc:`ValueError` is raised if ``lang_code`` exceeds this limit and
++    ``strict`` is ``True``, or if there is no generic variant and ``strict``
++    is ``False``.
++
+     If ``strict`` is ``False`` (the default), a country-specific variant may
+     be returned when neither the language code nor its generic variant is found.
+     For example, if only ``'es-co'`` is in :setting:`LANGUAGES`, that's
+@@ -1163,6 +1168,11 @@ For a complete discussion on the usage of the following see the
+ 
+     Raises :exc:`LookupError` if nothing is found.
+ 
++   .. versionchanged:: 4.2.13
++
++        In older versions, ``lang_code`` values over 500 characters were
++        processed without raising a :exc:`ValueError`.
++
+ .. function:: to_locale(language)
+ 
+     Turns a language name (en-us) into a locale name (en_US).
+diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
+index f517c5e..ebd89d7 100644
+--- a/tests/i18n/tests.py
++++ b/tests/i18n/tests.py
+@@ -65,6 +65,7 @@ from django.utils.translation.reloader import (
+     translation_file_changed,
+     watch_for_translation_changes,
+ )
++from django.utils.translation.trans_real import LANGUAGE_CODE_MAX_LENGTH
+ 
+ from .forms import CompanyForm, I18nForm, SelectDateForm
+ from .models import Company, TestModel
+@@ -1888,6 +1889,16 @@ class MiscTests(SimpleTestCase):
+             g("xyz")
+         with self.assertRaises(LookupError):
+             g("xy-zz")
++        msg = "'lang_code' exceeds the maximum accepted length"
++        with self.assertRaises(LookupError):
++            g("x" * LANGUAGE_CODE_MAX_LENGTH)
++        with self.assertRaisesMessage(ValueError, msg):
++            g("x" * (LANGUAGE_CODE_MAX_LENGTH + 1))
++        # 167 * 3 = 501 which is LANGUAGE_CODE_MAX_LENGTH + 1.
++        self.assertEqual(g("en-" * 167), "en")
++        with self.assertRaisesMessage(ValueError, msg):
++            g("en-" * 167, strict=True)
++        self.assertEqual(g("en-" * 30000), "en")  # catastrophic test            
+ 
+     def test_get_supported_language_variant_null(self):
+         g = trans_null.get_supported_language_variant
+-- 
+2.27.0
+
diff --git a/python-django.spec b/python-django.spec
index 725b9c1..b7ddbc3 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -1,11 +1,12 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.2.13
-Release:	1
+Release:	2
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
 Source0:        https://files.pythonhosted.org/packages/source/d/Django/Django-%{version}.tar.gz
+Patch0001:      backport-0001-Fixed-CVE-2024-39614.patch 
 
 BuildArch:	noarch
 %description
@@ -72,6 +73,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Thu Jul 11 2024 baiguo <baiguo@kylinos.cn> - 4.2.13-2
+- Fix CVE-2024-39614 
+
 * Mon Jun 03 2024 xu_ping <707078654@qq.com> - 4.2.13-1
 - Upgrade version to 4.2.13
 
-- 
Gitee