Fix CVE-2023-36053

(cherry picked from commit 974e92f598dfb826cb8bb52d9e282ca6c3d4ab32)

CVE-2023-36053.patch

@@ -0,0 +1,165 @@
+From f7702f0a5af9e2114eca1b19bb10725a58a5921b Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Mon, 17 Jul 2023 14:56:15 +0800
+Subject: [PATCH 1/1] fix CVE-2023-36053
+
+Origin:
+https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
+---
+ django/core/validators.py                     |  7 ++++++-
+ django/forms/fields.py                        |  3 +++
+ .../field_tests/test_emailfield.py            |  5 ++++-
+ tests/forms_tests/tests/test_forms.py         | 19 +++++++++++++------
+ tests/validators/tests.py                     |  6 ++++++
+ 5 files changed, 32 insertions(+), 8 deletions(-)
+
+diff --git a/django/core/validators.py b/django/core/validators.py
+index 2da0688..ddadb21 100644
+--- a/django/core/validators.py
++++ b/django/core/validators.py
+@@ -102,6 +102,7 @@ class URLValidator(RegexValidator):
+     message = _('Enter a valid URL.')
+     schemes = ['http', 'https', 'ftp', 'ftps']
+     unsafe_chars = frozenset('\t\r\n')
++    max_length = 2048
+ 
+     def __init__(self, schemes=None, **kwargs):
+         super().__init__(**kwargs)
+@@ -109,6 +110,8 @@ class URLValidator(RegexValidator):
+             self.schemes = schemes
+ 
+     def __call__(self, value):
++        if not isinstance(value, str) or len(value) > self.max_length:
++            raise ValidationError(self.message, code=self.code)
+         if isinstance(value, str) and self.unsafe_chars.intersection(value):
+             raise ValidationError(self.message, code=self.code)
+         # Check if the scheme is valid.
+@@ -190,7 +193,9 @@ class EmailValidator:
+             self.domain_whitelist = whitelist
+ 
+     def __call__(self, value):
+-        if not value or '@' not in value:
++        # The maximum length of an email is 320 characters per RFC 3696
++        # section 3.
++        if not value or '@' not in value or len(value) > 320:
+             raise ValidationError(self.message, code=self.code)
+ 
+         user_part, domain_part = value.rsplit('@', 1)
+diff --git a/django/forms/fields.py b/django/forms/fields.py
+index a977256..1185bfc 100644
+--- a/django/forms/fields.py
++++ b/django/forms/fields.py
+@@ -523,6 +523,9 @@ class EmailField(CharField):
+     default_validators = [validators.validate_email]
+ 
+     def __init__(self, **kwargs):
++        # The default maximum length of an email is 320 characters per RFC 3696
++        # section 3.
++        kwargs.setdefault("max_length", 320)
+         super().__init__(strip=True, **kwargs)
+ 
+ 
+diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py
+index 826524a..fe5b644 100644
+--- a/tests/forms_tests/field_tests/test_emailfield.py
++++ b/tests/forms_tests/field_tests/test_emailfield.py
+@@ -8,7 +8,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
+ 
+     def test_emailfield_1(self):
+         f = EmailField()
+-        self.assertWidgetRendersTo(f, '<input type="email" name="f" id="id_f" required>')
++        self.assertEqual(f.max_length, 320)
++        self.assertWidgetRendersTo(
++            f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
++        )
+         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
+             f.clean('')
+         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
+diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py
+index d4e421d..8893f89 100644
+--- a/tests/forms_tests/tests/test_forms.py
++++ b/tests/forms_tests/tests/test_forms.py
+@@ -422,11 +422,18 @@ class FormsTestCase(SimpleTestCase):
+             get_spam = BooleanField()
+ 
+         f = SignupForm(auto_id=False)
+-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" required>')
++        self.assertHTMLEqual(
++            str(f["email"]),
++            '<input type="email" name="email" maxlength="320" required>',
++        )
+         self.assertHTMLEqual(str(f['get_spam']), '<input type="checkbox" name="get_spam" required>')
+ 
+         f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False)
+-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" value="test@example.com" required>')
++        self.assertHTMLEqual(
++            str(f["email"]),
++            '<input type="email" name="email" maxlength="320" value="test@example.com" '
++            "required>",
++        )
+         self.assertHTMLEqual(
+             str(f['get_spam']),
+             '<input checked type="checkbox" name="get_spam" required>',
+@@ -2780,7 +2787,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+ <option value="true">Yes</option>
+ <option value="false">No</option>
+ </select></li>
+-<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></li>
++<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></li>
+ <li class="required error"><ul class="errorlist"><li>This field is required.</li></ul>
+ <label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required></li>"""
+         )
+@@ -2796,7 +2803,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+ <option value="true">Yes</option>
+ <option value="false">No</option>
+ </select></p>
+-<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></p>
++<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></p>
+ <ul class="errorlist"><li>This field is required.</li></ul>
+ <p class="required error"><label class="required" for="id_age">Age:</label>
+ <input type="number" name="age" id="id_age" required></p>"""
+@@ -2815,7 +2822,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+ <option value="false">No</option>
+ </select></td></tr>
+ <tr><th><label for="id_email">Email:</label></th><td>
+-<input type="email" name="email" id="id_email"></td></tr>
++<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
+ <tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
+ <td><ul class="errorlist"><li>This field is required.</li></ul>
+ <input type="number" name="age" id="id_age" required></td></tr>"""
+@@ -3428,7 +3435,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+         f = CommentForm(data, auto_id=False, error_class=DivErrorList)
+         self.assertHTMLEqual(f.as_p(), """<p>Name: <input type="text" name="name" maxlength="50"></p>
+ <div class="errorlist"><div class="error">Enter a valid email address.</div></div>
+-<p>Email: <input type="email" name="email" value="invalid" required></p>
++<p>Email: <input type="email" name="email" value="invalid" maxlength="320" required></p>
+ <div class="errorlist"><div class="error">This field is required.</div></div>
+ <p>Comment: <input type="text" name="comment" required></p>""")
+ 
+diff --git a/tests/validators/tests.py b/tests/validators/tests.py
+index 1f09fb5..e88feff 100644
+--- a/tests/validators/tests.py
++++ b/tests/validators/tests.py
+@@ -58,6 +58,7 @@ TEST_DATA = [
+ 
+     (validate_email, 'example@atm.%s' % ('a' * 64), ValidationError),
+     (validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError),
++    (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
+     (validate_email, None, ValidationError),
+     (validate_email, '', ValidationError),
+     (validate_email, 'abc', ValidationError),
+@@ -242,6 +243,11 @@ TEST_DATA = [
+     (URLValidator(EXTENDED_SCHEMES), 'git+ssh://git@github.com/example/hg-git.git', None),
+ 
+     (URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError),
++    (
++        URLValidator(),
++        "http://example." + ("a" * 63 + ".") * 1000 + "com",
++        ValidationError,
++    ),
+     # Newlines and tabs are not accepted.
+     (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
+     (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
+-- 
+2.30.0
+

python-django.spec

@@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	2.2.27
-Release:	5
+Release:	6
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
 URL:		https://www.djangoproject.com/
@@ -14,6 +14,8 @@ Patch1:         CVE-2022-28347.patch
 Patch2:         CVE-2023-23969.patch
 Patch3:         CVE-2023-24580.patch
 Patch4:         CVE-2023-31047.patch
+#https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582
+Patch5:         CVE-2023-36053.patch
 
 BuildArch:	noarch
 %description
@@ -80,6 +82,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon Jul 17 2023 yaoxin <yao_xin001@hoperun.com> - 2.2.27-6
+- Fix CVE-2023-36053
+
 * Tue May 16 2023 yaoxin <yao_xin001@hoperun.com> - 2.2.27-5
 - Fix CVE-2023-31047