!79 [sync] PR-72: Fix CVE-2023-43665

From: @openeuler-sync-bot Reviewed-by: @caodongxia Signed-off-by: @caodongxia
2023-10-09 11:27:46 +00:00 · 2023-10-09 11:27:46 +00:00 · 84ffde19c2
commit 84ffde19c2
parent c3c19579d2 eb415e8211
2 changed files with 174 additions and 1 deletions
--- a/CVE-2023-43665.patch
+++ b/CVE-2023-43665.patch
@ -0,0 +1,168 @@
 From ccdade1a0262537868d7ca64374de3d957ca50c5 Mon Sep 17 00:00:00 2001
 From: Natalia <124304+nessita@users.noreply.github.com>
 Date: Tue, 19 Sep 2023 09:51:48 -0300
 Subject: [PATCH] [3.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in
 django.utils.text.Truncator when truncating HTML text.
 Thanks Wenchao Li of Alibaba Group for the report.
 Origin:
 https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5
 ---
 django/utils/text.py            | 18 ++++++++++++++++-
 docs/ref/templates/builtins.txt | 20 +++++++++++++++++++
 tests/utils_tests/test_text.py  | 35 ++++++++++++++++++++++++---------
 3 files changed, 63 insertions(+), 10 deletions(-)
 diff --git a/django/utils/text.py b/django/utils/text.py
 index baa44f2..83e258f 100644
 --- a/django/utils/text.py
 +++ b/django/utils/text.py
@@ -60,7 +60,14 @@ def wrap(text, width):
 class Truncator(SimpleLazyObject):
     """
     An object used to truncate text, either by characters or words.
 +
 +    When truncating HTML text (either chars or words), input will be limited to
 +    at most `MAX_LENGTH_HTML` characters.
     """
 +
 +    # 5 million characters are approximately 4000 text pages or 3 web pages.
 +    MAX_LENGTH_HTML = 5_000_000
 +
     def __init__(self, text):
         super().__init__(lambda: str(text))
@@ -157,6 +164,11 @@ class Truncator(SimpleLazyObject):
         if words and length <= 0:
             return ''
 +        size_limited = False
 +        if len(text) > self.MAX_LENGTH_HTML:
 +            text = text[: self.MAX_LENGTH_HTML]
 +            size_limited = True
 +
         html4_singlets = (
             'br', 'col', 'link', 'base', 'img',
             'param', 'area', 'hr', 'input'
@@ -206,10 +218,14 @@ class Truncator(SimpleLazyObject):
                 # Add it to the start of the open tags list
                 open_tags.insert(0, tagname)
 +        truncate_text = self.add_truncation_text("", truncate)
 +
         if current_len <= length:
 +            if size_limited and truncate_text:
 +                text += truncate_text
             return text
 +
         out = text[:end_text_pos]
 -        truncate_text = self.add_truncation_text('', truncate)
         if truncate_text:
             out += truncate_text
         # Close any tags still open
 diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
 index 22509a2..a6fd971 100644
 --- a/docs/ref/templates/builtins.txt
 +++ b/docs/ref/templates/builtins.txt
@@ -2348,6 +2348,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
 Newlines in the HTML content will be preserved.
 +.. admonition:: Size of input string
 +
 +    Processing large, potentially malformed HTML strings can be
 +    resource-intensive and impact service performance. ``truncatechars_html``
 +    limits input to the first five million characters.
 +
 +.. versionchanged:: 3.2.22
 +
 +    In older versions, strings over five million characters were processed.
 +
 .. templatefilter:: truncatewords
 ``truncatewords``
@@ -2386,6 +2396,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
 Newlines in the HTML content will be preserved.
 +.. admonition:: Size of input string
 +
 +    Processing large, potentially malformed HTML strings can be
 +    resource-intensive and impact service performance. ``truncatewords_html``
 +    limits input to the first five million characters.
 +
 +.. versionchanged:: 3.2.22
 +
 +    In older versions, strings over five million characters were processed.
 +
 .. templatefilter:: unordered_list
 ``unordered_list``
 diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
 index d2a94fc..0a6f0bc 100644
 --- a/tests/utils_tests/test_text.py
 +++ b/tests/utils_tests/test_text.py
@@ -1,5 +1,6 @@
 import json
 import sys
 +from unittest.mock import patch
 from django.core.exceptions import SuspiciousFileOperation
 from django.test import SimpleTestCase, ignore_warnings
@@ -90,11 +91,17 @@ class TestUtilsText(SimpleTestCase):
         # lazy strings are handled correctly
         self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…')
 -    def test_truncate_chars_html(self):
 +    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
 +    def test_truncate_chars_html_size_limit(self):
 +        max_len = text.Truncator.MAX_LENGTH_HTML
 +        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
 +        valid_html = "<p>Joel is a slug</p>"  # 14 chars
         perf_test_values = [
 -            (('</a' + '\t' * 50000) + '//>', None),
 -            ('&' * 50000, '&' * 9 + '…'),
 -            ('_X<<<<<<<<<<<>', None),
 +            ("</a" + "\t" * (max_len - 6) + "//>", None),
 +            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"),
 +            ("&" * bigger_len, "&" * 9 + "…"),
 +            ("_X<<<<<<<<<<<>", None),
 +            (valid_html * bigger_len, "<p>Joel is a…</p>"),  # 10 chars
         ]
         for value, expected in perf_test_values:
             with self.subTest(value=value):
@@ -152,15 +159,25 @@ class TestUtilsText(SimpleTestCase):
         truncator = text.Truncator('<p>I &lt;3 python, what about you?</p>')
         self.assertEqual('<p>I &lt;3 python,…</p>', truncator.words(3, html=True))
 +    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
 +    def test_truncate_words_html_size_limit(self):
 +        max_len = text.Truncator.MAX_LENGTH_HTML
 +        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
 +        valid_html = "<p>Joel is a slug</p>"  # 4 words
         perf_test_values = [
 -            ('</a' + '\t' * 50000) + '//>',
 -            '&' * 50000,
 -            '_X<<<<<<<<<<<>',
 +            ("</a" + "\t" * (max_len - 6) + "//>", None),
 +            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"),
 +            ("&" * max_len, None),  # no change
 +            ("&" * bigger_len, "&" * max_len + "…"),
 +            ("_X<<<<<<<<<<<>", None),
 +            (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"),  # 50 words
         ]
 -        for value in perf_test_values:
 +        for value, expected in perf_test_values:
             with self.subTest(value=value):
                 truncator = text.Truncator(value)
 -                self.assertEqual(value, truncator.words(50, html=True))
 +                self.assertEqual(
 +                    expected if expected else value, truncator.words(50, html=True)
 +                )
     def test_wrap(self):
         digits = '1234 67 9'
 -- 
 2.30.0
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	3.2.12
-Release:	6
+Release:	7
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@ -15,6 +15,8 @@ Patch3:         CVE-2023-24580.patch
 Patch4:         CVE-2023-31047.patch
 Patch5:         CVE-2023-36053.patch
 Patch6:         CVE-2023-41164.patch
 # https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5
 Patch7:         CVE-2023-43665.patch
 BuildArch:	noarch
 %description
@ -81,6 +83,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 %changelog
 * Sun Oct 08 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.12-7
 - Fix CVE-2023-43665
 * Thu Sep 14 2023 wangkai <13474090681@163.com> - 3.2.12-6
 - Fix CVE-2023-41164