packages/python-django
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-36053

Browse Source 
(cherry picked from commit e0207cf3e3517d0520e1c3e82c554881331af03e)
This commit is contained in:
starlet-dx 2023-07-17 11:08:16 +08:00 committed by openeuler-sync-bot
parent 0b7d17b274
commit 0e7bae103c
2 changed files with 249 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

244
CVE-2023-36053.patch Normal file
View File

@ -0,0 +1,244 @@
From 454f2fb93437f98917283336201b4048293f7582 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Wed, 14 Jun 2023 12:23:06 +0200
Subject: [PATCH] [3.2.x] Fixed CVE-2023-36053 -- Prevented potential ReDoS in
EmailValidator and URLValidator.
Thanks Seokchan Yoon for reports.
---
django/core/validators.py | 7 ++++--
django/forms/fields.py | 3 +++
docs/ref/forms/fields.txt | 7 +++++-
docs/ref/validators.txt | 25 ++++++++++++++++++-
docs/releases/3.2.20.txt | 7 +++++-
.../field_tests/test_emailfield.py | 5 +++-
tests/forms_tests/tests/test_forms.py | 19 +++++++++-----
tests/validators/tests.py | 11 ++++++++
8 files changed, 72 insertions(+), 12 deletions(-)
diff --git a/django/core/validators.py b/django/core/validators.py
index 731ccf2d4690..b9b58dfa6176 100644
--- a/django/core/validators.py
+++ b/django/core/validators.py
@@ -93,6 +93,7 @@ class URLValidator(RegexValidator):
message = _('Enter a valid URL.')
schemes = ['http', 'https', 'ftp', 'ftps']
unsafe_chars = frozenset('\t\r\n')
+ max_length = 2048
def __init__(self, schemes=None, **kwargs):
super().__init__(**kwargs)
@@ -100,7 +101,7 @@ def __init__(self, schemes=None, **kwargs):
self.schemes = schemes
def __call__(self, value):
- if not isinstance(value, str):
+ if not isinstance(value, str) or len(value) > self.max_length:
raise ValidationError(self.message, code=self.code, params={'value': value})
if self.unsafe_chars.intersection(value):
raise ValidationError(self.message, code=self.code, params={'value': value})
@@ -210,7 +211,9 @@ def __init__(self, message=None, code=None, allowlist=None, *, whitelist=None):
self.domain_allowlist = allowlist
def __call__(self, value):
- if not value or '@' not in value:
+ # The maximum length of an email is 320 characters per RFC 3696
+ # section 3.
+ if not value or '@' not in value or len(value) > 320:
raise ValidationError(self.message, code=self.code, params={'value': value})
user_part, domain_part = value.rsplit('@', 1)
diff --git a/django/forms/fields.py b/django/forms/fields.py
index 0214d60c1cf1..8adb09e38294 100644
--- a/django/forms/fields.py
+++ b/django/forms/fields.py
@@ -540,6 +540,9 @@ class EmailField(CharField):
default_validators = [validators.validate_email]
def __init__(self, **kwargs):
+ # The default maximum length of an email is 320 characters per RFC 3696
+ # section 3.
+ kwargs.setdefault("max_length", 320)
super().__init__(strip=True, **kwargs)
diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
index 9438214a28ce..5b485f215384 100644
--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
@@ -592,7 +592,12 @@ For each field, we describe the default widget used if you don't specify
* Error message keys: ``required``, ``invalid``
Has three optional arguments ``max_length``, ``min_length``, and
- ``empty_value`` which work just as they do for :class:`CharField`.
+ ``empty_value`` which work just as they do for :class:`CharField`. The
+ ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
+
+ .. versionchanged:: 3.2.20
+
+ The default value for ``max_length`` was changed to 320 characters.
``FileField``
-------------
diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt
index 50761e5a425c..b22762b17b93 100644
--- a/docs/ref/validators.txt
+++ b/docs/ref/validators.txt
@@ -130,6 +130,11 @@ to, or in lieu of custom ``field.clean()`` methods.
:param code: If not ``None``, overrides :attr:`code`.
:param allowlist: If not ``None``, overrides :attr:`allowlist`.
+ An :class:`EmailValidator` ensures that a value looks like an email, and
+ raises a :exc:`~django.core.exceptions.ValidationError` with
+ :attr:`message` and :attr:`code` if it doesn't. Values longer than 320
+ characters are always considered invalid.
+
.. attribute:: message
The error message used by
@@ -158,13 +163,19 @@ to, or in lieu of custom ``field.clean()`` methods.
The undocumented ``domain_whitelist`` attribute is deprecated. Use
``domain_allowlist`` instead.
+ .. versionchanged:: 3.2.20
+
+ In older versions, values longer than 320 characters could be
+ considered valid.
+
``URLValidator``
----------------
.. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
A :class:`RegexValidator` subclass that ensures a value looks like a URL,
- and raises an error code of ``'invalid'`` if it doesn't.
+ and raises an error code of ``'invalid'`` if it doesn't. Values longer than
+ :attr:`max_length` characters are always considered invalid.
Loopback addresses and reserved IP spaces are considered valid. Literal
IPv6 addresses (:rfc:`3986#section-3.2.2`) and Unicode domains are both
@@ -181,6 +192,18 @@ to, or in lieu of custom ``field.clean()`` methods.
.. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
+ .. attribute:: max_length
+
+ .. versionadded:: 3.2.20
+
+ The maximum length of values that could be considered valid. Defaults
+ to 2048 characters.
+
+ .. versionchanged:: 3.2.20
+
+ In older versions, values longer than 2048 characters could be
+ considered valid.
+
``validate_email``
------------------
diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py
index 8b85e4dcc144..19d315205d7e 100644
--- a/tests/forms_tests/field_tests/test_emailfield.py
+++ b/tests/forms_tests/field_tests/test_emailfield.py
@@ -9,7 +9,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
def test_emailfield_1(self):
f = EmailField()
- self.assertWidgetRendersTo(f, '<input type="email" name="f" id="id_f" required>')
+ self.assertEqual(f.max_length, 320)
+ self.assertWidgetRendersTo(
+ f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
+ )
with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
f.clean('')
with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py
index 26f8ecafea44..82a32af403a0 100644
--- a/tests/forms_tests/tests/test_forms.py
+++ b/tests/forms_tests/tests/test_forms.py
@@ -422,11 +422,18 @@ class SignupForm(Form):
get_spam = BooleanField()
f = SignupForm(auto_id=False)
- self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" required>')
+ self.assertHTMLEqual(
+ str(f["email"]),
+ '<input type="email" name="email" maxlength="320" required>',
+ )
self.assertHTMLEqual(str(f['get_spam']), '<input type="checkbox" name="get_spam" required>')
f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False)
- self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" value="test@example.com" required>')
+ self.assertHTMLEqual(
+ str(f["email"]),
+ '<input type="email" name="email" maxlength="320" value="test@example.com" '
+ "required>",
+ )
self.assertHTMLEqual(
str(f['get_spam']),
'<input checked type="checkbox" name="get_spam" required>',
@@ -2824,7 +2831,7 @@ class Person(Form):
<option value="true">Yes</option>
<option value="false">No</option>
</select></li>
-<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></li>
+<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></li>
<li class="required error"><ul class="errorlist"><li>This field is required.</li></ul>
<label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required></li>"""
)
@@ -2840,7 +2847,7 @@ class Person(Form):
<option value="true">Yes</option>
<option value="false">No</option>
</select></p>
-<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></p>
+<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></p>
<ul class="errorlist"><li>This field is required.</li></ul>
<p class="required error"><label class="required" for="id_age">Age:</label>
<input type="number" name="age" id="id_age" required></p>"""
@@ -2859,7 +2866,7 @@ class Person(Form):
<option value="false">No</option>
</select></td></tr>
<tr><th><label for="id_email">Email:</label></th><td>
-<input type="email" name="email" id="id_email"></td></tr>
+<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
<tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
<td><ul class="errorlist"><li>This field is required.</li></ul>
<input type="number" name="age" id="id_age" required></td></tr>"""
@@ -3489,7 +3496,7 @@ class CommentForm(Form):
f = CommentForm(data, auto_id=False, error_class=DivErrorList)
self.assertHTMLEqual(f.as_p(), """<p>Name: <input type="text" name="name" maxlength="50"></p>
<div class="errorlist"><div class="error">Enter a valid email address.</div></div>
-<p>Email: <input type="email" name="email" value="invalid" required></p>
+<p>Email: <input type="email" name="email" value="invalid" maxlength="320" required></p>
<div class="errorlist"><div class="error">This field is required.</div></div>
<p>Comment: <input type="text" name="comment" required></p>""")
diff --git a/tests/validators/tests.py b/tests/validators/tests.py
index e39d0e3a1cef..1065727a974e 100644
--- a/tests/validators/tests.py
+++ b/tests/validators/tests.py
@@ -59,6 +59,7 @@
(validate_email, 'example@atm.%s' % ('a' * 64), ValidationError),
(validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError),
+ (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
(validate_email, None, ValidationError),
(validate_email, '', ValidationError),
(validate_email, 'abc', ValidationError),
@@ -246,6 +247,16 @@
(URLValidator(), None, ValidationError),
(URLValidator(), 56, ValidationError),
(URLValidator(), 'no_scheme', ValidationError),
+ (
+ URLValidator(),
+ "http://example." + ("a" * 63 + ".") * 1000 + "com",
+ ValidationError,
+ ),
+ (
+ URLValidator(),
+ "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com",
+ None,
+ ),
# Newlines and tabs are not accepted.
(URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
(URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),

6
python-django.spec
View File

@ -1,7 +1,7 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-django Name: python-django
Version: 3.2.12 Version: 3.2.12
Release: 4 Release: 5
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
License: Apache-2.0 and Python-2.0 and BSD-3-Clause License: Apache-2.0 and Python-2.0 and BSD-3-Clause
URL: https://www.djangoproject.com/ URL: https://www.djangoproject.com/
@ -13,6 +13,7 @@ Patch1: backport-CVE-2022-36359.patch
Patch2: CVE-2023-23969.patch Patch2: CVE-2023-23969.patch
Patch3: CVE-2023-24580.patch Patch3: CVE-2023-24580.patch
Patch4: CVE-2023-31047.patch Patch4: CVE-2023-31047.patch
Patch5: CVE-2023-36053.patch
BuildArch: noarch BuildArch: noarch
%description %description
@ -79,6 +80,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Mon Jul 17 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.12-5
- Fix CVE-2023-36053
* Tue May 16 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.12-4 * Tue May 16 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.12-4
- Fix CVE-2023-31047 - Fix CVE-2023-31047