!91 [sync] PR-81: Fix CVE-2023-46695

From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530

CVE-2023-46695.patch

@@ -0,0 +1,62 @@
+From f9a7fb8466a7ba4857eaf930099b5258f3eafb2b Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Tue, 17 Oct 2023 11:48:32 +0200
+Subject: [PATCH] [3.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in
+ UsernameField on Windows.
+
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+---
+ django/contrib/auth/forms.py   | 10 +++++++++-
+ tests/auth_tests/test_forms.py |  8 +++++++-
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index 20d8922..fb7cfda 100644
+--- a/django/contrib/auth/forms.py
++++ b/django/contrib/auth/forms.py
+@@ -62,7 +62,15 @@ class ReadOnlyPasswordHashField(forms.Field):
+ 
+ class UsernameField(forms.CharField):
+     def to_python(self, value):
+-        return unicodedata.normalize('NFKC', super().to_python(value))
++        value = super().to_python(value)
++        if self.max_length is not None and len(value) > self.max_length:
++            # Normalization can increase the string length (e.g.
++            # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
++            # point in normalizing invalid data. Moreover, Unicode
++            # normalization is very slow on Windows and can be a DoS attack
++            # vector.
++            return value
++        return unicodedata.normalize("NFKC", value)
+ 
+     def widget_attrs(self, widget):
+         return {
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index 7a731be..c0e1975 100644
+--- a/tests/auth_tests/test_forms.py
++++ b/tests/auth_tests/test_forms.py
+@@ -5,7 +5,7 @@ from unittest import mock
+ from django.contrib.auth.forms import (
+     AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
+     PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
+-    SetPasswordForm, UserChangeForm, UserCreationForm,
++    SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
+ )
+ from django.contrib.auth.models import User
+ from django.contrib.auth.signals import user_login_failed
+@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
+         self.assertNotEqual(user.username, ohm_username)
+         self.assertEqual(user.username, 'testΩ')  # U+03A9 GREEK CAPITAL LETTER OMEGA
+ 
++    def test_invalid_username_no_normalize(self):
++        field = UsernameField(max_length=254)
++        # Usernames are not normalized if they are too long.
++        self.assertEqual(field.to_python("½" * 255), "½" * 255)
++        self.assertEqual(field.to_python("ff" * 254), "ff" * 254)
++
+     def test_duplicate_normalized_unicode(self):
+         """
+         To prevent almost identical usernames, visually identical but differing
+-- 
+2.30.0
+

python-django.spec

@@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	3.2.12
-Release:	7
+Release:	8
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@@ -17,6 +17,8 @@ Patch5:         CVE-2023-36053.patch
 Patch6:         CVE-2023-41164.patch
 # https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5
 Patch7:         CVE-2023-43665.patch
+# https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b
+Patch8:         CVE-2023-46695.patch
 
 BuildArch:	noarch
 %description
@@ -83,6 +85,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Mon Nov 06 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.12-8
+- Fix CVE-2023-46695
+
 * Sun Oct 08 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.12-7
 - Fix CVE-2023-43665