!70 [sync] PR-66: Fix CVE-2023-41164

From: @openeuler-sync-bot Reviewed-by: @cherry530 Signed-off-by: @cherry530
2023-09-18 01:22:12 +00:00 · 2023-09-18 01:22:12 +00:00 · c3c19579d2
commit c3c19579d2
parent acefaee95e 9ab478fe33
2 changed files with 88 additions and 1 deletions
--- a/CVE-2023-41164.patch
+++ b/CVE-2023-41164.patch
@ -0,0 +1,83 @@
+From 6f030b1149bd8fa4ba90452e77cb3edc095ce54e Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Tue, 22 Aug 2023 08:53:03 +0200
+Subject: [PATCH] [3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in
+ django.utils.encoding.uri_to_iri().
+
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+
+Origin: https://github.com/django/django/commit/6f030b1149bd8fa4ba90452e77cb3edc095ce54e
+
+Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
+---
+ django/utils/encoding.py           |  6 ++++--
+ docs/releases/3.2.21.txt           |  7 ++++++-
+ tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++-
+ 3 files changed, 30 insertions(+), 4 deletions(-)
+
+diff --git a/django/utils/encoding.py b/django/utils/encoding.py
+index e1ebacef4705..c5c4463b1c22 100644
+--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
+@@ -229,6 +229,7 @@ def repercent_broken_unicode(path):
+     repercent-encode any octet produced that is not part of a strictly legal
+     UTF-8 octet sequence.
+     """
+    changed_parts = []
+     while True:
+         try:
+             path.decode()
+@@ -236,9 +237,10 @@ def repercent_broken_unicode(path):
+             # CVE-2019-14235: A recursion shouldn't be used since the exception
+             # handling uses massive amounts of memory
+             repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
+-            path = path[:e.start] + repercent.encode() + path[e.end:]
+            changed_parts.append(path[:e.start] + repercent.encode())
+            path = path[e.end:]
+         else:
+-            return path
+            return b"".join(changed_parts) + path
+ 
+ 
+ def filepath_to_uri(path):
+diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py
+index 36f2d8665f3c..42779050cb3a 100644
+--- a/tests/utils_tests/test_encoding.py
+++ b/tests/utils_tests/test_encoding.py
+@@ -1,9 +1,10 @@
+ import datetime
+import inspect
+ import sys
+ import unittest
+ from pathlib import Path
+ from unittest import mock
+-from urllib.parse import quote_plus
+from urllib.parse import quote, quote_plus
+ 
+ from django.test import SimpleTestCase
+ from django.utils.encoding import (
+@@ -101,6 +102,24 @@ def test_repercent_broken_unicode_recursion_error(self):
+         except RecursionError:
+             self.fail('Unexpected RecursionError raised.')
+ 
+    def test_repercent_broken_unicode_small_fragments(self):
+        data = b"test\xfctest\xfctest\xfc"
+        decoded_paths = []
+
+        def mock_quote(*args, **kwargs):
+            # The second frame is the call to repercent_broken_unicode().
+            decoded_paths.append(inspect.currentframe().f_back.f_locals["path"])
+            return quote(*args, **kwargs)
+
+        with mock.patch("django.utils.encoding.quote", mock_quote):
+            self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC")
+
+        # decode() is called on smaller fragment of the path each time.
+        self.assertEqual(
+            decoded_paths,
+            [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"],
+        )
+
+ 
+ class TestRFC3987IEncodingUtils(unittest.TestCase):
+
--- a/python-django.spec
+++ b/python-django.spec
@ -1,7 +1,7 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django
 Version:	3.2.12
-Release:	5
+Release:	6
 Summary:	A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
 License:	Apache-2.0 and Python-2.0 and BSD-3-Clause
 URL:		https://www.djangoproject.com/
@ -14,6 +14,7 @@ Patch2:         CVE-2023-23969.patch
 Patch3:         CVE-2023-24580.patch
 Patch4:         CVE-2023-31047.patch
 Patch5:         CVE-2023-36053.patch
+Patch6:         CVE-2023-41164.patch

 BuildArch:	noarch
 %description
@ -80,6 +81,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*

 %changelog
+* Thu Sep 14 2023 wangkai <13474090681@163.com> - 3.2.12-6
+- Fix CVE-2023-41164
+
 * Mon Jul 17 2023 yaoxin <yao_xin001@hoperun.com> - 3.2.12-5
 - Fix CVE-2023-36053