From 5c6047815af41c5c26f2682460d051618c2f93c7 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Sun, 8 Oct 2023 10:55:50 +0800 Subject: [PATCH] Fix CVE-2023-43665 (cherry picked from commit 86a4a68acac178bf6f8f43cf6b2a4d41355b9047) (cherry picked from commit b7c86f0e0c5b3074449e32ec6053d7d3e026b1e6) --- CVE-2023-43665.patch | 168 +++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 7 +- 2 files changed, 174 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-43665.patch diff --git a/CVE-2023-43665.patch b/CVE-2023-43665.patch new file mode 100644 index 0000000..bf85fd7 --- /dev/null +++ b/CVE-2023-43665.patch @@ -0,0 +1,168 @@ +From ccdade1a0262537868d7ca64374de3d957ca50c5 Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Tue, 19 Sep 2023 09:51:48 -0300 +Subject: [PATCH] [3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in + django.utils.text.Truncator when truncating HTML text. + +Thanks Wenchao Li of Alibaba Group for the report. + +Origin: +https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5 +--- + django/utils/text.py | 18 ++++++++++++++++- + docs/ref/templates/builtins.txt | 20 +++++++++++++++++++ + tests/utils_tests/test_text.py | 35 ++++++++++++++++++++++++--------- + 3 files changed, 63 insertions(+), 10 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 1fae7b2..06a377b 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -57,7 +57,14 @@ def wrap(text, width): + class Truncator(SimpleLazyObject): + """ + An object used to truncate text, either by characters or words. ++ ++ When truncating HTML text (either chars or words), input will be limited to ++ at most `MAX_LENGTH_HTML` characters. + """ ++ ++ # 5 million characters are approximately 4000 text pages or 3 web pages. ++ MAX_LENGTH_HTML = 5_000_000 ++ + def __init__(self, text): + super().__init__(lambda: str(text)) + +@@ -154,6 +161,11 @@ class Truncator(SimpleLazyObject): + if words and length <= 0: + return '' + ++ size_limited = False ++ if len(text) > self.MAX_LENGTH_HTML: ++ text = text[: self.MAX_LENGTH_HTML] ++ size_limited = True ++ + html4_singlets = ( + 'br', 'col', 'link', 'base', 'img', + 'param', 'area', 'hr', 'input' +@@ -203,10 +215,14 @@ class Truncator(SimpleLazyObject): + # Add it to the start of the open tags list + open_tags.insert(0, tagname) + ++ truncate_text = self.add_truncation_text("", truncate) ++ + if current_len <= length: ++ if size_limited and truncate_text: ++ text += truncate_text + return text ++ + out = text[:end_text_pos] +- truncate_text = self.add_truncation_text('', truncate) + if truncate_text: + out += truncate_text + # Close any tags still open +diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt +index c4b0fa3..886d24e 100644 +--- a/docs/ref/templates/builtins.txt ++++ b/docs/ref/templates/builtins.txt +@@ -2318,6 +2318,16 @@ If ``value`` is ``"

Joel is a slug

"``, the output will be + + Newlines in the HTML content will be preserved. + ++.. admonition:: Size of input string ++ ++ Processing large, potentially malformed HTML strings can be ++ resource-intensive and impact service performance. ``truncatechars_html`` ++ limits input to the first five million characters. ++ ++.. versionchanged:: 3.2.22 ++ ++ In older versions, strings over five million characters were processed. ++ + .. templatefilter:: truncatewords + + ``truncatewords`` +@@ -2356,6 +2366,16 @@ If ``value`` is ``"

Joel is a slug

"``, the output will be + + Newlines in the HTML content will be preserved. + ++.. admonition:: Size of input string ++ ++ Processing large, potentially malformed HTML strings can be ++ resource-intensive and impact service performance. ``truncatewords_html`` ++ limits input to the first five million characters. ++ ++.. versionchanged:: 3.2.22 ++ ++ In older versions, strings over five million characters were processed. ++ + .. templatefilter:: unordered_list + + ``unordered_list`` +diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py +index 27e440b..cb3063d 100644 +--- a/tests/utils_tests/test_text.py ++++ b/tests/utils_tests/test_text.py +@@ -1,5 +1,6 @@ + import json + import sys ++from unittest.mock import patch + + from django.core.exceptions import SuspiciousFileOperation + from django.test import SimpleTestCase +@@ -87,11 +88,17 @@ class TestUtilsText(SimpleTestCase): + # lazy strings are handled correctly + self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…') + +- def test_truncate_chars_html(self): ++ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) ++ def test_truncate_chars_html_size_limit(self): ++ max_len = text.Truncator.MAX_LENGTH_HTML ++ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 ++ valid_html = "

Joel is a slug

" # 14 chars + perf_test_values = [ +- (('', None), +- ('&' * 50000, '&' * 9 + '…'), +- ('_X<<<<<<<<<<<>', None), ++ ("", None), ++ ("", "", None), ++ (valid_html * bigger_len, "

Joel is a…

"), # 10 chars + ] + for value, expected in perf_test_values: + with self.subTest(value=value): +@@ -149,15 +156,25 @@ class TestUtilsText(SimpleTestCase): + truncator = text.Truncator('

I <3 python, what about you?

') + self.assertEqual('

I <3 python,…

', truncator.words(3, html=True)) + ++ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) ++ def test_truncate_words_html_size_limit(self): ++ max_len = text.Truncator.MAX_LENGTH_HTML ++ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 ++ valid_html = "

Joel is a slug

" # 4 words + perf_test_values = [ +- ('', +- '&' * 50000, +- '_X<<<<<<<<<<<>', ++ ("", None), ++ ("", "", None), ++ (valid_html * bigger_len, valid_html * 12 + "

Joel is…

"), # 50 words + ] +- for value in perf_test_values: ++ for value, expected in perf_test_values: + with self.subTest(value=value): + truncator = text.Truncator(value) +- self.assertEqual(value, truncator.words(50, html=True)) ++ self.assertEqual( ++ expected if expected else value, truncator.words(50, html=True) ++ ) + + def test_wrap(self): + digits = '1234 67 9' +-- +2.30.0 + diff --git a/python-django.spec b/python-django.spec index f9477ec..78ff7b7 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 2.2.27 -Release: 7 +Release: 8 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT URL: https://www.djangoproject.com/ @@ -17,6 +17,8 @@ Patch4: CVE-2023-31047.patch #https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582 Patch5: CVE-2023-36053.patch Patch6: CVE-2023-41164.patch +# https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5 +Patch7: CVE-2023-43665.patch BuildArch: noarch %description @@ -83,6 +85,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Sun Oct 08 2023 yaoxin - 2.2.27-8 +- Fix CVE-2023-43665 + * Thu Sep 14 2023 wangkai <13474090681@163.com> - 2.2.27-7 - Fix CVE-2023-41164