!37 [sync] PR-35: Fix CVE-2023-23969

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
2023-02-14 01:31:19 +00:00 · 2023-02-14 01:31:19 +00:00 · c0c4b6943d
commit c0c4b6943d
parent dbffb922fb 08b114f54c
2 changed files with 105 additions and 1 deletions
--- a/CVE-2023-23969.patch
+++ b/CVE-2023-23969.patch
@ -0,0 +1,100 @@
+From 9c679aa0189c11bfe62e136380960247af77df18 Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 13 Feb 2023 20:10:27 +0800
+Subject: [PATCH 1/1] [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathologi cal values for Accept-Language.
+
+The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
+
+Accept-Language headers are now limited to a maximum length in order to avoid this issue.
+---
+ django/utils/translation/trans_real.py | 32 +++++++++++++++++++++++++-
+ tests/i18n/tests.py                    | 12 ++++++++++
+ 2 files changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
+index 486b2b2..ecd701f 100644
+--- a/django/utils/translation/trans_real.py
+++ b/django/utils/translation/trans_real.py
+@@ -29,6 +29,11 @@ _default = None
+ # magic gettext number to separate context from message
+ CONTEXT_SEPARATOR = "\x04"
+ 
+# Maximum number of characters that will be parsed from the Accept-Language
+# header to prevent possible denial of service or memory exhaustion attacks.
+# About 10x longer than the longest value shown on MDN’s Accept-Language page.
+ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
+
+ # Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
+ # and RFC 3066, section 2.1
+ accept_language_re = re.compile(r'''
+@@ -560,7 +565,7 @@ def get_language_from_request(request, check_path=False):
+ 
+ 
+ @functools.lru_cache(maxsize=1000)
+-def parse_accept_lang_header(lang_string):
+def _parse_accept_lang_header(lang_string):
+     """
+     Parse the lang_string, which is the body of an HTTP Accept-Language
+     header, and return a tuple of (lang, q-value), ordered by 'q' values.
+@@ -582,3 +587,28 @@ def parse_accept_lang_header(lang_string):
+         result.append((lang, priority))
+     result.sort(key=lambda k: k[1], reverse=True)
+     return tuple(result)
+
+
+def parse_accept_lang_header(lang_string):
+    """
+    Parse the value of the Accept-Language header up to a maximum length.
+
+    The value of the header is truncated to a maximum length to avoid potential
+    denial of service and memory exhaustion attacks. Excessive memory could be
+    used if the raw value is very large as it would be cached due to the use of
+    functools.lru_cache() to avoid repetitive parsing of common header values.
+    """
+    # If the header value doesn't exceed the maximum allowed length, parse it.
+    if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
+        return _parse_accept_lang_header(lang_string)
+
+    # If there is at least one comma in the value, parse up to the last comma
+    # before the max length, skipping any truncated parts at the end of the
+    # header value.
+    index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)
+    if index > 0:
+        return _parse_accept_lang_header(lang_string[:index])
+
+    # Don't attempt to parse if there is only one language-range value which is
+    # longer than the maximum allowed length and so truncated.
+    return ()
+diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
+index 7381cb9..6efc3a5 100644
+--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
+@@ -1282,6 +1282,14 @@ class MiscTests(SimpleTestCase):
+             ('de;q=0.', [('de', 0.0)]),
+             ('en; q=1,', [('en', 1.0)]),
+             ('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]),
+            (
+                'en' + '-x' * 20,
+                [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)],
+            ),
+            (
+                ', '.join(['en; q=1.0'] * 20),
+                [('en', 1.0)] * 20,
+            ),
+             # Bad headers
+             ('en-gb;q=1.0000', []),
+             ('en;q=0.1234', []),
+@@ -1297,6 +1305,10 @@ class MiscTests(SimpleTestCase):
+             ('12-345', []),
+             ('', []),
+             ('en;q=1e0', []),
+            # Invalid as language-range value too long.
+            ('xxxxxxxx' + '-xxxxxxxx' * 500, []),
+            # Header value too long, only parse up to limit.
+            (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45),
+         ]
+         for value, expected in tests:
+             with self.subTest(value=value):
+-- 
+2.30.0
+
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	2.2.27
-Release:	2
+Release:	3
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
 URL:		https://www.djangoproject.com/
@ -11,6 +11,7 @@ Source0:	https://github.com/django/django/archive/refs/tags/2.2.27.tar.gz
 Patch0:         CVE-2022-28346.patch
 #https://github.com/django/django/commit/29a6c98b4c13af82064f993f0acc6e8fafa4d3f5
 Patch1:         CVE-2022-28347.patch
+Patch2:         CVE-2023-23969.patch

 BuildArch:	noarch
 %description
@ -77,6 +78,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Mon Feb 13 2023 yaoxin <yaoxin30@h-partners.com> - 2.2.27-3
+- Fix CVE-2023-23969
+
 * Thu Apr 21 2022 yaoxin <yaoxin30@h-partners.com> - 2.2.27-2
 - Fix CVE-2022-28346 CVE-2022-28347