Fix CVE-2023-23969

(cherry picked from commit e08a83f6a88fd686c6227ab8400c4a80f9563249)
2023-02-13 19:35:48 +08:00 · 2023-02-13 19:35:48 +08:00 · 6e43838aa6
commit 6e43838aa6
parent 9b95229d22
2 changed files with 106 additions and 2 deletions
--- a/CVE-2023-23969.patch
+++ b/CVE-2023-23969.patch
@ -0,0 +1,100 @@
 From 80353a42e41fd22933184a30f2e2c04d0c274c83 Mon Sep 17 00:00:00 2001
 From: starlet-dx <15929766099@163.com>
 Date: Mon, 13 Feb 2023 19:31:46 +0800
 Subject: [PATCH 1/1] [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
 The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
 Accept-Language headers are now limited to a maximum length in order to avoid this issue.
 ---
 django/utils/translation/trans_real.py | 32 +++++++++++++++++++++++++-
 tests/i18n/tests.py                    | 12 ++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)
 diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
 index 8042f6f..b262a50 100644
 --- a/django/utils/translation/trans_real.py
 +++ b/django/utils/translation/trans_real.py
@@ -30,6 +30,11 @@ _default = None
 # magic gettext number to separate context from message
 CONTEXT_SEPARATOR = "\x04"
 +# Maximum number of characters that will be parsed from the Accept-Language
 +# header to prevent possible denial of service or memory exhaustion attacks.
 +# About 10x longer than the longest value shown on MDN’s Accept-Language page.
 +ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
 +
 # Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
 # and RFC 3066, section 2.1
 accept_language_re = _lazy_re_compile(r'''
@@ -556,7 +561,7 @@ def get_language_from_request(request, check_path=False):
 @functools.lru_cache(maxsize=1000)
 -def parse_accept_lang_header(lang_string):
 +def _parse_accept_lang_header(lang_string):
     """
     Parse the lang_string, which is the body of an HTTP Accept-Language
     header, and return a tuple of (lang, q-value), ordered by 'q' values.
@@ -578,3 +583,28 @@ def parse_accept_lang_header(lang_string):
         result.append((lang, priority))
     result.sort(key=lambda k: k[1], reverse=True)
     return tuple(result)
 +
 +
 +def parse_accept_lang_header(lang_string):
 +    """
 +    Parse the value of the Accept-Language header up to a maximum length.
 +
 +    The value of the header is truncated to a maximum length to avoid potential
 +    denial of service and memory exhaustion attacks. Excessive memory could be
 +    used if the raw value is very large as it would be cached due to the use of
 +    functools.lru_cache() to avoid repetitive parsing of common header values.
 +    """
 +    # If the header value doesn't exceed the maximum allowed length, parse it.
 +    if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
 +        return _parse_accept_lang_header(lang_string)
 +
 +    # If there is at least one comma in the value, parse up to the last comma
 +    # before the max length, skipping any truncated parts at the end of the
 +    # header value.
 +    index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)
 +    if index > 0:
 +        return _parse_accept_lang_header(lang_string[:index])
 +
 +    # Don't attempt to parse if there is only one language-range value which is
 +    # longer than the maximum allowed length and so truncated.
 +    return ()
 diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
 index 7edceb1..f379f8f 100644
 --- a/tests/i18n/tests.py
 +++ b/tests/i18n/tests.py
@@ -1352,6 +1352,14 @@ class MiscTests(SimpleTestCase):
             ('de;q=0.', [('de', 0.0)]),
             ('en; q=1,', [('en', 1.0)]),
             ('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]),
 +            (
 +                'en' + '-x' * 20,
 +                [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)],
 +            ),
 +            (
 +                ', '.join(['en; q=1.0'] * 20),
 +                [('en', 1.0)] * 20,
 +            ),
             # Bad headers
             ('en-gb;q=1.0000', []),
             ('en;q=0.1234', []),
@@ -1367,6 +1375,10 @@ class MiscTests(SimpleTestCase):
             ('12-345', []),
             ('', []),
             ('en;q=1e0', []),
 +            # Invalid as language-range value too long.
 +            ('xxxxxxxx' + '-xxxxxxxx' * 500, []),
 +            # Header value too long, only parse up to limit.
 +            (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45),
         ]
         for value, expected in tests:
             with self.subTest(value=value):
 -- 
 2.30.0
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	3.2.12
-Release:	1
+Release:	2
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@ -10,6 +10,7 @@ Source0:	https://github.com/django/django/archive/refs/tags/%{version}.tar.gz
 #https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
 Patch0:         CVE-2022-34265.patch
 Patch1:         backport-CVE-2022-36359.patch
 Patch2:         CVE-2023-23969.patch
 BuildArch:	noarch
 %description
@ -76,8 +77,11 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 %changelog
 * Mon Feb 13 2023 yaoxin <yaoxin30@h-partners.com> - 3.2.12-2
 - Fix CVE-2023-23969
 * Thu Oct 20 2022 Ge Wang <wangge20@h-partners.com> - 3.2.12-1
- Update to version 3.2.12 and fix CVE-2022034265, CVE-2022-36359
+- Update to version 3.2.12 and fix CVE-2022-34265, CVE-2022-36359
 * Thu Apr 21 2022 yaoxin <yaoxin30@h-partners.com> - 2.2.27-2
 - Fix CVE-2022-28346 CVE-2022-28347