From 5e0f4e3783c4ec2b4b5da36066c8015bc22002d4 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Mon, 6 Nov 2023 14:40:25 +0800 Subject: [PATCH] Fix CVE-2023-46695 --- CVE-2023-46695.patch | 62 ++++++++++++++++++++++++++++++++++++++++++++ python-django.spec | 7 ++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 CVE-2023-46695.patch diff --git a/CVE-2023-46695.patch b/CVE-2023-46695.patch new file mode 100644 index 0000000..6aa2733 --- /dev/null +++ b/CVE-2023-46695.patch @@ -0,0 +1,62 @@ +From f9a7fb8466a7ba4857eaf930099b5258f3eafb2b Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak +Date: Tue, 17 Oct 2023 11:48:32 +0200 +Subject: [PATCH] [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in + UsernameField on Windows. + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. +--- + django/contrib/auth/forms.py | 10 +++++++++- + tests/auth_tests/test_forms.py | 8 +++++++- + 2 files changed, 16 insertions(+), 2 deletions(-) + +diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py +index e6f73fe..26d3ca7 100644 +--- a/django/contrib/auth/forms.py ++++ b/django/contrib/auth/forms.py +@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field): + + class UsernameField(forms.CharField): + def to_python(self, value): +- return unicodedata.normalize('NFKC', super().to_python(value)) ++ value = super().to_python(value) ++ if self.max_length is not None and len(value) > self.max_length: ++ # Normalization can increase the string length (e.g. ++ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no ++ # point in normalizing invalid data. Moreover, Unicode ++ # normalization is very slow on Windows and can be a DoS attack ++ # vector. ++ return value ++ return unicodedata.normalize("NFKC", value) + + + class UserCreationForm(forms.ModelForm): +diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py +index bed23af..e73d4b8 100644 +--- a/tests/auth_tests/test_forms.py ++++ b/tests/auth_tests/test_forms.py +@@ -6,7 +6,7 @@ from django import forms + from django.contrib.auth.forms import ( + AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm, + PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget, +- SetPasswordForm, UserChangeForm, UserCreationForm, ++ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField, + ) + from django.contrib.auth.models import User + from django.contrib.auth.signals import user_login_failed +@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase): + self.assertNotEqual(user.username, ohm_username) + self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA + ++ def test_invalid_username_no_normalize(self): ++ field = UsernameField(max_length=254) ++ # Usernames are not normalized if they are too long. ++ self.assertEqual(field.to_python("½" * 255), "½" * 255) ++ self.assertEqual(field.to_python("ff" * 254), "ff" * 254) ++ + def test_duplicate_normalized_unicode(self): + """ + To prevent almost identical usernames, visually identical but differing +-- +2.30.0 + diff --git a/python-django.spec b/python-django.spec index 78ff7b7..d5e0241 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,7 +1,7 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 2.2.27 -Release: 8 +Release: 9 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT URL: https://www.djangoproject.com/ @@ -19,6 +19,8 @@ Patch5: CVE-2023-36053.patch Patch6: CVE-2023-41164.patch # https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5 Patch7: CVE-2023-43665.patch +# https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b +Patch8: CVE-2023-46695.patch BuildArch: noarch %description @@ -85,6 +87,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Mon Nov 06 2023 yaoxin - 2.2.27-9 +- Fix CVE-2023-46695 + * Sun Oct 08 2023 yaoxin - 2.2.27-8 - Fix CVE-2023-43665