Fix CVE-2023-41164
(cherry picked from commit f30ea77da991f56f5239a5aea17718b39dd6ef96)
This commit is contained in:
wk333
openeuler-sync-bot
parent
a547fffddf
commit
06ce8131d0
83
CVE-2023-41164.patch
Normal file
83
CVE-2023-41164.patch
Normal file
@ -0,0 +1,83 @@
|
|||||||
|
From 6f030b1149bd8fa4ba90452e77cb3edc095ce54e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
|
||||||
|
Date: Tue, 22 Aug 2023 08:53:03 +0200
|
||||||
|
Subject: [PATCH] [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in
|
||||||
|
django.utils.encoding.uri_to_iri().
|
||||||
|
|
||||||
|
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
|
||||||
|
|
||||||
|
Refer: https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e
|
||||||
|
|
||||||
|
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
|
||||||
|
---
|
||||||
|
django/utils/encoding.py | 6 ++++--
|
||||||
|
tests/utils_tests/test_encoding.py | 20 +++++++++++++++++++-
|
||||||
|
2 files changed, 23 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/django/utils/encoding.py b/django/utils/encoding.py
|
||||||
|
index 98da647..8744001 100644
|
||||||
|
--- a/django/utils/encoding.py
|
||||||
|
+++ b/django/utils/encoding.py
|
||||||
|
@@ -225,6 +225,7 @@ def repercent_broken_unicode(path):
|
||||||
|
repercent-encode any octet produced that is not part of a strictly legal
|
||||||
|
UTF-8 octet sequence.
|
||||||
|
"""
|
||||||
|
+ changed_parts = []
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
path.decode()
|
||||||
|
@@ -232,9 +233,10 @@ def repercent_broken_unicode(path):
|
||||||
|
# CVE-2019-14235: A recursion shouldn't be used since the exception
|
||||||
|
# handling uses massive amounts of memory
|
||||||
|
repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
|
||||||
|
- path = path[:e.start] + force_bytes(repercent) + path[e.end:]
|
||||||
|
+ changed_parts.append(path[:e.start] + repercent.encode())
|
||||||
|
+ path = path[e.end:]
|
||||||
|
else:
|
||||||
|
- return path
|
||||||
|
+ return b"".join(changed_parts) + path
|
||||||
|
|
||||||
|
|
||||||
|
def filepath_to_uri(path):
|
||||||
|
diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py
|
||||||
|
index ea7ba5f..4ee6f3f 100644
|
||||||
|
--- a/tests/utils_tests/test_encoding.py
|
||||||
|
+++ b/tests/utils_tests/test_encoding.py
|
||||||
|
@@ -1,8 +1,9 @@
|
||||||
|
import datetime
|
||||||
|
+import inspect
|
||||||
|
import sys
|
||||||
|
import unittest
|
||||||
|
from unittest import mock
|
||||||
|
-from urllib.parse import quote_plus
|
||||||
|
+from urllib.parse import quote, quote_plus
|
||||||
|
|
||||||
|
from django.test import SimpleTestCase
|
||||||
|
from django.utils.encoding import (
|
||||||
|
@@ -99,6 +100,23 @@ class TestEncodingUtils(SimpleTestCase):
|
||||||
|
self.assertEqual(repercent_broken_unicode(data), b'%FC' * sys.getrecursionlimit())
|
||||||
|
except RecursionError:
|
||||||
|
self.fail('Unexpected RecursionError raised.')
|
||||||
|
+ def test_repercent_broken_unicode_small_fragments(self):
|
||||||
|
+ data = b"test\xfctest\xfctest\xfc"
|
||||||
|
+ decoded_paths = []
|
||||||
|
+
|
||||||
|
+ def mock_quote(*args, **kwargs):
|
||||||
|
+ # The second frame is the call to repercent_broken_unicode().
|
||||||
|
+ decoded_paths.append(inspect.currentframe().f_back.f_locals["path"])
|
||||||
|
+ return quote(*args, **kwargs)
|
||||||
|
+
|
||||||
|
+ with mock.patch("django.utils.encoding.quote", mock_quote):
|
||||||
|
+ self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC")
|
||||||
|
+
|
||||||
|
+ # decode() is called on smaller fragment of the path each time.
|
||||||
|
+ self.assertEqual(
|
||||||
|
+ decoded_paths,
|
||||||
|
+ [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"],
|
||||||
|
+ )
|
||||||
|
|
||||||
|
|
||||||
|
class TestRFC3987IEncodingUtils(unittest.TestCase):
|
||||||
|
--
|
||||||
|
2.23.0
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
%global _empty_manifest_terminate_build 0
|
%global _empty_manifest_terminate_build 0
|
||||||
Name: python-django
|
Name: python-django
|
||||||
Version: 2.2.27
|
Version: 2.2.27
|
||||||
Release: 6
|
Release: 7
|
||||||
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
|
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
|
||||||
License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
|
License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
|
||||||
URL: https://www.djangoproject.com/
|
URL: https://www.djangoproject.com/
|
||||||
@ -16,6 +16,7 @@ Patch3: CVE-2023-24580.patch
|
|||||||
Patch4: CVE-2023-31047.patch
|
Patch4: CVE-2023-31047.patch
|
||||||
#https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
|
#https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
|
||||||
Patch5: CVE-2023-36053.patch
|
Patch5: CVE-2023-36053.patch
|
||||||
|
Patch6: CVE-2023-41164.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
%description
|
%description
|
||||||
@ -82,6 +83,9 @@ mv %{buildroot}/doclist.lst .
|
|||||||
%{_docdir}/*
|
%{_docdir}/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Sep 14 2023 wangkai <13474090681@163.com> - 2.2.27-7
|
||||||
|
- Fix CVE-2023-41164
|
||||||
|
|
||||||
* Mon Jul 17 2023 yaoxin <yao_xin001@hoperun.com> - 2.2.27-6
|
* Mon Jul 17 2023 yaoxin <yao_xin001@hoperun.com> - 2.2.27-6
|
||||||
- Fix CVE-2023-36053
|
- Fix CVE-2023-36053
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user