From 362bc05cf021bb5395638e227a5124bf0ea08225 Mon Sep 17 00:00:00 2001
From: starlet-dx <15929766099@163.com>
Date: Mon, 13 Feb 2023 19:40:11 +0800
Subject: [PATCH] Fix CVE-2023-23969

(cherry picked from commit f7287528475fe3fca17f096326e5dcda50d84d1c)
---
 CVE-2023-23969.patch | 100 +++++++++++++++++++++++++++++++++++++++++++
 python-django.spec   |   6 ++-
 2 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2023-23969.patch

diff --git a/CVE-2023-23969.patch b/CVE-2023-23969.patch
new file mode 100644
index 0000000..2d73ffa
--- /dev/null
+++ b/CVE-2023-23969.patch
@@ -0,0 +1,100 @@
+From ffde9b888863f30c62c728c6f9538a09d7396ed9 Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 13 Feb 2023 19:26:27 +0800
+Subject: [PATCH 1/1] [4.1.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
+
+The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
+
+Accept-Language headers are now limited to a maximum length in order to
+avoid this issue.
+---
+ django/utils/translation/trans_real.py | 31 +++++++++++++++++++++++++-
+ tests/i18n/tests.py                    | 12 ++++++++++
+ 2 files changed, 42 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
+index 423f30e..2974cc6 100644
+--- a/django/utils/translation/trans_real.py
++++ b/django/utils/translation/trans_real.py
+@@ -30,6 +30,11 @@ _default = None
+ # magic gettext number to separate context from message
+ CONTEXT_SEPARATOR = "\x04"
+ 
++# Maximum number of characters that will be parsed from the Accept-Language
++# header to prevent possible denial of service or memory exhaustion attacks.
++# About 10x longer than the longest value shown on MDN’s Accept-Language page.
++ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
++
+ # Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
+ # and RFC 3066, section 2.1
+ accept_language_re = _lazy_re_compile(
+@@ -586,7 +591,7 @@ def get_language_from_request(request, check_path=False):
+ 
+ 
+ @functools.lru_cache(maxsize=1000)
+-def parse_accept_lang_header(lang_string):
++def _parse_accept_lang_header(lang_string):
+     """
+     Parse the lang_string, which is the body of an HTTP Accept-Language
+     header, and return a tuple of (lang, q-value), ordered by 'q' values.
+@@ -608,3 +613,27 @@ def parse_accept_lang_header(lang_string):
+         result.append((lang, priority))
+     result.sort(key=lambda k: k[1], reverse=True)
+     return tuple(result)
++
++
++def parse_accept_lang_header(lang_string):
++    """
++    Parse the value of the Accept-Language header up to a maximum length.
++
++    The value of the header is truncated to a maximum length to avoid potential
++    denial of service and memory exhaustion attacks. Excessive memory could be
++    used if the raw value is very large as it would be cached due to the use of
++    functools.lru_cache() to avoid repetitive parsing of common header values.
++    """
++    # If the header value doesn't exceed the maximum allowed length, parse it.
++    if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
++        return _parse_accept_lang_header(lang_string)
++
++    # If there is at least one comma in the value, parse up to the last comma
++    # before the max length, skipping any truncated parts at the end of the
++    # header value.
++    if (index := lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)) > 0:
++        return _parse_accept_lang_header(lang_string[:index])
++
++    # Don't attempt to parse if there is only one language-range value which is
++    # longer than the maximum allowed length and so truncated.
++    return ()
+diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
+index 40fc306..b361a84 100644
+--- a/tests/i18n/tests.py
++++ b/tests/i18n/tests.py
+@@ -1730,6 +1730,14 @@ class MiscTests(SimpleTestCase):
+             ("de;q=0.", [("de", 0.0)]),
+             ("en; q=1,", [("en", 1.0)]),
+             ("en; q=1.0, * ; q=0.5", [("en", 1.0), ("*", 0.5)]),
++            (
++                "en" + "-x" * 20,
++                [("en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x", 1.0)],
++            ),
++            (
++                ", ".join(["en; q=1.0"] * 20),
++                [("en", 1.0)] * 20,
++            ),
+             # Bad headers
+             ("en-gb;q=1.0000", []),
+             ("en;q=0.1234", []),
+@@ -1746,6 +1754,10 @@ class MiscTests(SimpleTestCase):
+             ("", []),
+             ("en;q=1e0", []),
+             ("en-au;q=１.０", []),
++            # Invalid as language-range value too long.
++            ("xxxxxxxx" + "-xxxxxxxx" * 500, []),
++            # Header value too long, only parse up to limit.
++            (", ".join(["en; q=1.0"] * 500), [("en", 1.0)] * 45),
+         ]
+         for value, expected in tests:
+             with self.subTest(value=value):
+-- 
+2.30.0
+
diff --git a/python-django.spec b/python-django.spec
index b1ce8d6..00275f2 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -1,13 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	4.1.4
-Release:	1
+Release:	2
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
 Source0:	https://github.com/django/django/archive/refs/tags/4.1.4.tar.gz
 #https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
 Patch0:         CVE-2022-34265.patch
+Patch1:         CVE-2023-23969.patch
 
 
 BuildArch:	noarch
@@ -75,6 +76,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon Feb 13 2023 yaoxin <yaoxin30@h-partners.com> - 4.1.4-2
+- Fix CVE-2023-23969
+
 * Fri Dec 09 2022 chendexi <chendexi@kylinos.cn> - 4.1.4-1
 - Upgrade package to version 4.1.4
 
-- 
Gitee