Fix CVE-2024-27351

(cherry picked from commit 9f46f6c90df775e0e24a2385188394d73db87d17)
2024-03-05 15:33:44 +08:00 · 2024-03-05 15:33:44 +08:00 · 5268d94d2a
commit 5268d94d2a
parent 4d32a7a113
2 changed files with 128 additions and 1 deletions
--- a/CVE-2024-27351.patch
+++ b/CVE-2024-27351.patch
@ -0,0 +1,122 @@
 From 072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Mon Sep 17 00:00:00 2001
 From: Shai Berger <shai@platonix.com>
 Date: Mon, 19 Feb 2024 13:56:37 +0100
 Subject: [PATCH] [3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in
 Truncator.words().
 Thanks Seokchan Yoon for the report.
 Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 ---
 django/utils/text.py           | 57 ++++++++++++++++++++++++++++++++--
 tests/utils_tests/test_text.py | 26 ++++++++++++++++
 2 files changed, 81 insertions(+), 2 deletions(-)
 diff --git a/django/utils/text.py b/django/utils/text.py
 index 83e258f..88da9a2 100644
 --- a/django/utils/text.py
 +++ b/django/utils/text.py
@@ -18,8 +18,61 @@ def capfirst(x):
     return x and str(x)[0].upper() + str(x)[1:]
 -# Set up regular expressions
 -re_words = _lazy_re_compile(r'<[^>]+?>|([^<>\s]+)', re.S)
 +# ----- Begin security-related performance workaround -----
 +
 +# We used to have, below
 +#
 +# re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S)
 +#
 +# But it was shown that this regex, in the way we use it here, has some
 +# catastrophic edge-case performance features. Namely, when it is applied to
 +# text with only open brackets "<<<...". The class below provides the services
 +# and correct answers for the use cases, but in these edge cases does it much
 +# faster.
 +re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S)
 +re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S)
 +
 +
 +class WordsRegex:
 +    @staticmethod
 +    def search(text, pos):
 +        # Look for "<" or a non-tag word.
 +        partial = re_prt.search(text, pos)
 +        if partial is None or partial[1] is not None:
 +            return partial
 +
 +        # "<" was found, look for a closing ">".
 +        end = text.find(">", partial.end(0))
 +        if end < 0:
 +            # ">" cannot be found, look for a word.
 +            return re_notag.search(text, pos + 1)
 +        else:
 +            # "<" followed by a ">" was found -- fake a match.
 +            end += 1
 +            return FakeMatch(text[partial.start(0): end], end)
 +
 +
 +class FakeMatch:
 +    __slots__ = ["_text", "_end"]
 +
 +    def end(self, group=0):
 +        assert group == 0, "This specific object takes only group=0"
 +        return self._end
 +
 +    def __getitem__(self, group):
 +        if group == 1:
 +            return None
 +        assert group == 0, "This specific object takes only group in {0,1}"
 +        return self._text
 +
 +    def __init__(self, text, end):
 +        self._text, self._end = text, end
 +
 +
 +# ----- End security-related performance workaround -----
 +
 +# Set up regular expressions.
 +re_words = WordsRegex
 re_chars = _lazy_re_compile(r'<[^>]+?>|(.)', re.S)
 re_tag = _lazy_re_compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S)
 re_newlines = _lazy_re_compile(r'\r\n|\r')  # Used in normalize_newlines
 diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
 index 0a6f0bc..758919c 100644
 --- a/tests/utils_tests/test_text.py
 +++ b/tests/utils_tests/test_text.py
@@ -159,6 +159,32 @@ class TestUtilsText(SimpleTestCase):
         truncator = text.Truncator('<p>I &lt;3 python, what about you?</p>')
         self.assertEqual('<p>I &lt;3 python,…</p>', truncator.words(3, html=True))
 +        # Only open brackets.
 +        test = "<" * 60_000
 +        truncator = text.Truncator(test)
 +        self.assertEqual(truncator.words(1, html=True), test)
 +
 +        # Tags with special chars in attrs.
 +        truncator = text.Truncator(
 +            """<i style="margin: 5%; font: *;">Hello, my dear lady!</i>"""
 +        )
 +        self.assertEqual(
 +            """<i style="margin: 5%; font: *;">Hello, my dear…</i>""",
 +            truncator.words(3, html=True),
 +        )
 +
 +        # Tags with special non-latin chars in attrs.
 +        truncator = text.Truncator("""<p data-x="א">Hello, my dear lady!</p>""")
 +        self.assertEqual(
 +            """<p data-x="א">Hello, my dear…</p>""",
 +            truncator.words(3, html=True),
 +        )
 +
 +        # Misplaced brackets.
 +        truncator = text.Truncator("hello >< world")
 +        self.assertEqual(truncator.words(1, html=True), "hello…")
 +        self.assertEqual(truncator.words(2, html=True), "hello >< world")
 +
     @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
     def test_truncate_words_html_size_limit(self):
         max_len = text.Truncator.MAX_LENGTH_HTML
 -- 
 2.33.0
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	3.2.12
-Release:	9
+Release:	10
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@ -21,6 +21,8 @@ Patch7:         CVE-2023-43665.patch
 Patch8:         CVE-2023-46695.patch
 # https://github.com/django/django/commit/c1171ffbd570db90ca206c30f8e2b9f691243820
 Patch9:         CVE-2024-24680.patch
 # https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521
 Patch10:        CVE-2024-27351.patch
 BuildArch:	noarch
 %description
@ -87,6 +89,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 %changelog
 * Tue Mar 05 2024 yaoxin <yao_xin001@hoperun.com> - 3.2.12-10
 - Fix CVE-2024-27351
 * Wed Feb 07 2024 yaoxin <yao_xin001@hoperun.com> - 3.2.12-9
 - Fix CVE-2024-24680