diff --git a/CVE-2023-41164.patch b/CVE-2023-41164.patch new file mode 100644 index 0000000000000000000000000000000000000000..ad4bd06c8699a093321834ef337f6cbfae1dd30e --- /dev/null +++ b/CVE-2023-41164.patch @@ -0,0 +1,83 @@ +From 6f030b1149bd8fa4ba90452e77cb3edc095ce54e Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Tue, 22 Aug 2023 08:53:03 +0200 +Subject: [PATCH] [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in + django.utils.encoding.uri_to_iri(). + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. + +Origin: https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e + +Co-authored-by: nessita <124304+nessita@users.noreply.github.com> +--- + django/utils/encoding.py | 6 ++++-- + docs/releases/3.2.21.txt | 7 ++++++- + tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++- + 3 files changed, 30 insertions(+), 4 deletions(-) + +diff --git a/django/utils/encoding.py b/django/utils/encoding.py +index e1ebacef4705..c5c4463b1c22 100644 +--- a/django/utils/encoding.py ++++ b/django/utils/encoding.py +@@ -229,6 +229,7 @@ def repercent_broken_unicode(path): + repercent-encode any octet produced that is not part of a strictly legal + UTF-8 octet sequence. + """ ++ changed_parts = [] + while True: + try: + path.decode() +@@ -236,9 +237,10 @@ def repercent_broken_unicode(path): + # CVE-2019-14235: A recursion shouldn't be used since the exception + # handling uses massive amounts of memory + repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") +- path = path[:e.start] + repercent.encode() + path[e.end:] ++ changed_parts.append(path[:e.start] + repercent.encode()) ++ path = path[e.end:] + else: +- return path ++ return b"".join(changed_parts) + path + + + def filepath_to_uri(path): +diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py +index 36f2d8665f3c..42779050cb3a 100644 +--- a/tests/utils_tests/test_encoding.py ++++ b/tests/utils_tests/test_encoding.py +@@ -1,9 +1,10 @@ + import datetime ++import inspect + import sys + import unittest + from pathlib import Path + from unittest import mock +-from urllib.parse import quote_plus ++from urllib.parse import quote, quote_plus + + from django.test import SimpleTestCase + from django.utils.encoding import ( +@@ -101,6 +102,24 @@ def test_repercent_broken_unicode_recursion_error(self): + except RecursionError: + self.fail('Unexpected RecursionError raised.') + ++ def test_repercent_broken_unicode_small_fragments(self): ++ data = b"test\xfctest\xfctest\xfc" ++ decoded_paths = [] ++ ++ def mock_quote(*args, **kwargs): ++ # The second frame is the call to repercent_broken_unicode(). ++ decoded_paths.append(inspect.currentframe().f_back.f_locals["path"]) ++ return quote(*args, **kwargs) ++ ++ with mock.patch("django.utils.encoding.quote", mock_quote): ++ self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC") ++ ++ # decode() is called on smaller fragment of the path each time. ++ self.assertEqual( ++ decoded_paths, ++ [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"], ++ ) ++ + + class TestRFC3987IEncodingUtils(unittest.TestCase): + diff --git a/python-django.spec b/python-django.spec index ee128ae6883497018665bfd4d226f13d77643e20..e125e40b024d9cdc1f0e6365a17fb66a05df9a26 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 3.2.12 -Release: 5 +Release: 6 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ @@ -14,6 +14,7 @@ Patch2: CVE-2023-23969.patch Patch3: CVE-2023-24580.patch Patch4: CVE-2023-31047.patch Patch5: CVE-2023-36053.patch +Patch6: CVE-2023-41164.patch BuildArch: noarch %description @@ -80,6 +81,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Thu Sep 14 2023 wangkai <13474090681@163.com> - 3.2.12-6 +- Fix CVE-2023-41164 + * Mon Jul 17 2023 yaoxin - 3.2.12-5 - Fix CVE-2023-36053