From d666219e69d70e49967e6febeab969c2244d762c Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 17 Jul 2023 11:08:16 +0800 Subject: [PATCH] Fix CVE-2023-36053 (cherry picked from commit e0207cf3e3517d0520e1c3e82c554881331af03e) --- CVE-2023-36053.patch | 244 +++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 6 +- 2 files changed, 249 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-36053.patch diff --git a/CVE-2023-36053.patch b/CVE-2023-36053.patch new file mode 100644 index 0000000..e0dc2ae --- /dev/null +++ b/CVE-2023-36053.patch @@ -0,0 +1,244 @@ +From 454f2fb93437f98917283336201b4048293f7582 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Wed, 14 Jun 2023 12:23:06 +0200 +Subject: [PATCH] [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in + EmailValidator and URLValidator. + +Thanks Seokchan Yoon for reports. +--- + django/core/validators.py | 7 ++++-- + django/forms/fields.py | 3 +++ + docs/ref/forms/fields.txt | 7 +++++- + docs/ref/validators.txt | 25 ++++++++++++++++++- + docs/releases/3.2.20.txt | 7 +++++- + .../field_tests/test_emailfield.py | 5 +++- + tests/forms_tests/tests/test_forms.py | 19 +++++++++----- + tests/validators/tests.py | 11 ++++++++ + 8 files changed, 72 insertions(+), 12 deletions(-) + +diff --git a/django/core/validators.py b/django/core/validators.py +index 731ccf2d4690..b9b58dfa6176 100644 +--- a/django/core/validators.py ++++ b/django/core/validators.py +@@ -93,6 +93,7 @@ class URLValidator(RegexValidator): + message = _('Enter a valid URL.') + schemes = ['http', 'https', 'ftp', 'ftps'] + unsafe_chars = frozenset('\t\r\n') ++ max_length = 2048 + + def __init__(self, schemes=None, **kwargs): + super().__init__(**kwargs) +@@ -100,7 +101,7 @@ def __init__(self, schemes=None, **kwargs): + self.schemes = schemes + + def __call__(self, value): +- if not isinstance(value, str): ++ if not isinstance(value, str) or len(value) > self.max_length: + raise ValidationError(self.message, code=self.code, params={'value': value}) + if self.unsafe_chars.intersection(value): + raise ValidationError(self.message, code=self.code, params={'value': value}) +@@ -210,7 +211,9 @@ def __init__(self, message=None, code=None, allowlist=None, *, whitelist=None): + self.domain_allowlist = allowlist + + def __call__(self, value): +- if not value or '@' not in value: ++ # The maximum length of an email is 320 characters per RFC 3696 ++ # section 3. ++ if not value or '@' not in value or len(value) > 320: + raise ValidationError(self.message, code=self.code, params={'value': value}) + + user_part, domain_part = value.rsplit('@', 1) +diff --git a/django/forms/fields.py b/django/forms/fields.py +index 0214d60c1cf1..8adb09e38294 100644 +--- a/django/forms/fields.py ++++ b/django/forms/fields.py +@@ -540,6 +540,9 @@ class EmailField(CharField): + default_validators = [validators.validate_email] + + def __init__(self, **kwargs): ++ # The default maximum length of an email is 320 characters per RFC 3696 ++ # section 3. ++ kwargs.setdefault("max_length", 320) + super().__init__(strip=True, **kwargs) + + +diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt +index 9438214a28ce..5b485f215384 100644 +--- a/docs/ref/forms/fields.txt ++++ b/docs/ref/forms/fields.txt +@@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify + * Error message keys: ``required``, ``invalid`` + + Has three optional arguments ``max_length``, ``min_length``, and +- ``empty_value`` which work just as they do for :class:`CharField`. ++ ``empty_value`` which work just as they do for :class:`CharField`. The ++ ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`). ++ ++ .. versionchanged:: 3.2.20 ++ ++ The default value for ``max_length`` was changed to 320 characters. + + ``FileField`` + ------------- +diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt +index 50761e5a425c..b22762b17b93 100644 +--- a/docs/ref/validators.txt ++++ b/docs/ref/validators.txt +@@ -130,6 +130,11 @@ to, or in lieu of custom ``field.clean()`` methods. + :param code: If not ``None``, overrides :attr:`code`. + :param allowlist: If not ``None``, overrides :attr:`allowlist`. + ++ An :class:`EmailValidator` ensures that a value looks like an email, and ++ raises a :exc:`~django.core.exceptions.ValidationError` with ++ :attr:`message` and :attr:`code` if it doesn't. Values longer than 320 ++ characters are always considered invalid. ++ + .. attribute:: message + + The error message used by +@@ -158,13 +163,19 @@ to, or in lieu of custom ``field.clean()`` methods. + The undocumented ``domain_whitelist`` attribute is deprecated. Use + ``domain_allowlist`` instead. + ++ .. versionchanged:: 3.2.20 ++ ++ In older versions, values longer than 320 characters could be ++ considered valid. ++ + ``URLValidator`` + ---------------- + + .. class:: URLValidator(schemes=None, regex=None, message=None, code=None) + + A :class:`RegexValidator` subclass that ensures a value looks like a URL, +- and raises an error code of ``'invalid'`` if it doesn't. ++ and raises an error code of ``'invalid'`` if it doesn't. Values longer than ++ :attr:`max_length` characters are always considered invalid. + + Loopback addresses and reserved IP spaces are considered valid. Literal + IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both +@@ -181,6 +192,18 @@ to, or in lieu of custom ``field.clean()`` methods. + + .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + ++ .. attribute:: max_length ++ ++ .. versionadded:: 3.2.20 ++ ++ The maximum length of values that could be considered valid. Defaults ++ to 2048 characters. ++ ++ .. versionchanged:: 3.2.20 ++ ++ In older versions, values longer than 2048 characters could be ++ considered valid. ++ + ``validate_email`` + ------------------ + +diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py +index 8b85e4dcc144..19d315205d7e 100644 +--- a/tests/forms_tests/field_tests/test_emailfield.py ++++ b/tests/forms_tests/field_tests/test_emailfield.py +@@ -9,7 +9,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase): + + def test_emailfield_1(self): + f = EmailField() +- self.assertWidgetRendersTo(f, '') ++ self.assertEqual(f.max_length, 320) ++ self.assertWidgetRendersTo( ++ f, '' ++ ) + with self.assertRaisesMessage(ValidationError, "'This field is required.'"): + f.clean('') + with self.assertRaisesMessage(ValidationError, "'This field is required.'"): +diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py +index 26f8ecafea44..82a32af403a0 100644 +--- a/tests/forms_tests/tests/test_forms.py ++++ b/tests/forms_tests/tests/test_forms.py +@@ -422,11 +422,18 @@ class SignupForm(Form): + get_spam = BooleanField() + + f = SignupForm(auto_id=False) +- self.assertHTMLEqual(str(f['email']), '') ++ self.assertHTMLEqual( ++ str(f["email"]), ++ '', ++ ) + self.assertHTMLEqual(str(f['get_spam']), '') + + f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False) +- self.assertHTMLEqual(str(f['email']), '') ++ self.assertHTMLEqual( ++ str(f["email"]), ++ '", ++ ) + self.assertHTMLEqual( + str(f['get_spam']), + '', +@@ -2824,7 +2831,7 @@ class Person(Form): + + + +-
    • ++
    • +
  • +
    • """ + ) +@@ -2840,7 +2847,7 @@ class Person(Form): + + +

    +-

    ++

    + +

    +

    """ +@@ -2859,7 +2866,7 @@ class Person(Form): + + + +- ++ + + + """ +@@ -3489,7 +3496,7 @@ class CommentForm(Form): + f = CommentForm(data, auto_id=False, error_class=DivErrorList) + self.assertHTMLEqual(f.as_p(), """

    Name:

    +
    Enter a valid email address.
    +-

    Email:

    ++

    Email:

    +
    This field is required.
    +

    Comment:

    """) + +diff --git a/tests/validators/tests.py b/tests/validators/tests.py +index e39d0e3a1cef..1065727a974e 100644 +--- a/tests/validators/tests.py ++++ b/tests/validators/tests.py +@@ -59,6 +59,7 @@ + + (validate_email, 'example@atm.%s' % ('a' * 64), ValidationError), + (validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError), ++ (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError), + (validate_email, None, ValidationError), + (validate_email, '', ValidationError), + (validate_email, 'abc', ValidationError), +@@ -246,6 +247,16 @@ + (URLValidator(), None, ValidationError), + (URLValidator(), 56, ValidationError), + (URLValidator(), 'no_scheme', ValidationError), ++ ( ++ URLValidator(), ++ "http://example." + ("a" * 63 + ".") * 1000 + "com", ++ ValidationError, ++ ), ++ ( ++ URLValidator(), ++ "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com", ++ None, ++ ), + # Newlines and tabs are not accepted. + (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), + (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), diff --git a/python-django.spec b/python-django.spec index f06de97..ee128ae 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 3.2.12 -Release: 4 +Release: 5 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -13,6 +13,7 @@ Patch1: backport-CVE-2022-36359.patch Patch2: CVE-2023-23969.patch Patch3: CVE-2023-24580.patch Patch4: CVE-2023-31047.patch +Patch5: CVE-2023-36053.patch BuildArch: noarch %description @@ -79,6 +80,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Jul 17 2023 yaoxin - 3.2.12-5 +- Fix CVE-2023-36053 + * Tue May 16 2023 yaoxin - 3.2.12-4 - Fix CVE-2023-31047 -- Gitee