Fix CVE-2024-53907

2024-12-09 10:48:17 +08:00 · 2024-12-09 10:48:17 +08:00 · 91e4a39b6a
commit 91e4a39b6a
parent 8553f6f573
2 changed files with 96 additions and 1 deletions
--- a/CVE-2024-53907.patch
+++ b/CVE-2024-53907.patch
@ -0,0 +1,91 @@
+From 790eb058b0716c536a2f2e8d1c6d5079d776c22b Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Wed, 13 Nov 2024 15:06:23 +0100
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in
+ strip_tags().
+
+Origin: https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b
+
+Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
+for the reviews.
+---
+ django/utils/html.py           | 10 ++++++++--
+ tests/utils_tests/test_html.py |  7 +++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index b3a6122..a8d23ce 100644
+--- a/django/utils/html.py
+++ b/django/utils/html.py
+@@ -12,6 +12,7 @@ from django.utils.functional import Promise, keep_lazy, keep_lazy_text
+ from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
+ from django.utils.safestring import SafeData, SafeText, mark_safe
+ from django.utils.text import normalize_newlines
+from django.core.exceptions import SuspiciousOperation
+ 
+ # Configuration for urlize() function.
+ TRAILING_PUNCTUATION_CHARS = '.,:;!'
+@@ -34,6 +35,7 @@ _html_escapes = {
+ }
+ 
+ MAX_URL_LENGTH = 2048
+MAX_STRIP_TAGS_DEPTH = 50
+ 
+ 
+ @keep_lazy(str, SafeText)
+@@ -185,15 +187,19 @@ def _strip_once(value):
+ @keep_lazy_text
+ def strip_tags(value):
+     """Return the given HTML with all tags stripped."""
+-    # Note: in typical case this loop executes _strip_once once. Loop condition
+-    # is redundant, but helps to reduce number of executions of _strip_once.
+     value = str(value)
+    # Note: in typical case this loop executes _strip_once twice (the second
+    # execution does not remove any more tags).
+    strip_tags_depth = 0
+     while '<' in value and '>' in value:
+        if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
+         new_value = _strip_once(value)
+         if value.count('<') == new_value.count('<'):
+             # _strip_once wasn't able to detect more tags.
+             break
+         value = new_value
+        strip_tags_depth += 1
+     return value
+ 
+ 
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index fdabb63..625511e 100644
+--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
+@@ -8,6 +8,7 @@ from django.utils.html import (
+     linebreaks, smart_urlquote, strip_spaces_between_tags, strip_tags, urlize,
+ )
+ from django.utils.safestring import mark_safe
+from django.core.exceptions import SuspiciousOperation
+ 
+ 
+ class TestUtilsHtml(SimpleTestCase):
+@@ -90,12 +91,18 @@ class TestUtilsHtml(SimpleTestCase):
+             ('<script>alert()</script>&h', 'alert()h'),
+             ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
+             ('X<<<<br>br>br>br>X', 'XX'),
+            ("<" * 50 + "a>" * 50, ""),
+         )
+         for value, output in items:
+             with self.subTest(value=value, output=output):
+                 self.check_output(strip_tags, value, output)
+                 self.check_output(strip_tags, lazystr(value), output)
+ 
+    def test_strip_tags_suspicious_operation(self):
+        value = "<" * 51 + "a>" * 51, "<a>"
+        with self.assertRaises(SuspiciousOperation):
+            strip_tags(value)
+
+     def test_strip_tags_files(self):
+         # Test with more lengthy content (also catching performance regressions)
+         for filename in ('strip_tags1.html', 'strip_tags2.txt'):
+-- 
+2.33.0
+
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	2.2.27
-Release:	12
+Release:	13
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
 URL:		https://www.djangoproject.com/
@ -36,6 +36,7 @@ Patch17:        CVE-2024-41991.patch
 Patch18:        CVE-2024-42005.patch
 Patch19:        CVE-2024-45230.patch
 Patch20:        CVE-2024-45231.patch
+Patch21:        CVE-2024-53907.patch

 BuildArch:	noarch
 %description
@ -102,6 +103,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Mon Dec 09 2024 wangkai <13474090681@163.com> - 2.2.27-13
+- Fix CVE-2024-53907
+
 * Fri Oct 11 2024 wangkai <13474090681@163.com> - 2.2.27-12
 - Fix CVE-2024-38875 CVE-2024-39329 CVE-2024-39330 CVE-2024-39614 CVE-2024-41989
  CVE-2024-41990 CVE-2024-41991 CVE-2024-42005 CVE-2024-45230 CVE-2024-45231