python3-django: Fix CVE-2024-41990

An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41990 Upstream-patch: https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2025-01-10 13:17:58 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-01-22 19:22:56 -0500
commit: 4e8fa78778944fa005ee94a7346a4d0d9e2c7405 (patch)
tree: 1cf0f7c36d18aa1e6949861880899f2288923ae1 /meta-python/recipes-devtools/python/python3-django
parent: 46701493ac4201c76aad1aeaf28e9b35851398ec (diff)
download: meta-openembedded-4e8fa78778944fa005ee94a7346a4d0d9e2c7405.tar.gz
1 files changed, 69 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch
new file mode 100644
index 0000000000..f4be195200
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch
@@ -0,0 +1,69 @@
+From d0a82e26a74940bf0c78204933c3bdd6a283eb88 Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Thu, 18 Jul 2024 13:19:34 +0200
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in
+ urlize and urlizetrunc template filters.
+Thanks to MProgrammer for the report.
+CVE: CVE-2024-41990
+Upstream-Status: Backport [https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/utils/html.py           | 18 ++++++++----------
+ tests/utils_tests/test_html.py |  2 ++
+ 2 files changed, 10 insertions(+), 10 deletions(-)
+diff --git a/django/utils/html.py b/django/utils/html.py
+index f1b74ab..84e157d 100644
+--- a/django/utils/html.py
+++ b/django/utils/html.py
+@@ -315,7 +315,11 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
+                         trimmed_something = True
+                         counts[closing] -= strip
+-            rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
+            amp = middle.rfind("&")
+            if amp == -1:
+                rstripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
+            else:
+                rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
+             if rstripped != middle:
+                 trail = middle[len(rstripped) :] + trail
+                 middle = rstripped
+@@ -323,15 +327,9 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
+             if trailing_punctuation_chars_has_semicolon() and middle.endswith(";"):
+                 # Only strip if not part of an HTML entity.
+-                amp = middle.rfind("&")
+-                if amp == -1:
+-                    can_strip = True
+-                else:
+-                    potential_entity = middle[amp:]
+-                    escaped = unescape(potential_entity)
+-                    can_strip = (escaped == potential_entity) or escaped.endswith(";")
+-
+-                if can_strip:
+                potential_entity = middle[amp:]
+                escaped = unescape(potential_entity)
+                if escaped == potential_entity or escaped.endswith(";"):
+                     rstripped = middle.rstrip(";")
+                     amount_stripped = len(middle) - len(rstripped)
+                     if amp > -1 and amount_stripped > 1:
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 715c1c6..5abab8d 100644
+--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
+@@ -274,6 +274,8 @@ class TestUtilsHtml(SimpleTestCase):
+             "[(" * 100_000 + ":" + ")]" * 100_000,
+             "([[" * 100_000 + ":" + "]])" * 100_000,
+             "&:" + ";" * 100_000,
+            "&.;" * 100_000,
+            ".;" * 100_000,
+         )
+         for value in tests:
+             with self.subTest(value=value):
+--
+2.40.0
author	Soumya Sambu <soumya.sambu@windriver.com>	2025-01-10 13:17:58 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-01-22 19:22:56 -0500
commit	4e8fa78778944fa005ee94a7346a4d0d9e2c7405 (patch)
tree	1cf0f7c36d18aa1e6949861880899f2288923ae1 /meta-python/recipes-devtools/python/python3-django
parent	46701493ac4201c76aad1aeaf28e9b35851398ec (diff)
download	meta-openembedded-4e8fa78778944fa005ee94a7346a4d0d9e2c7405.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch new file mode 100644 index 0000000000..f4be195200 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch
@@ -0,0 +1,69 @@
	1	From d0a82e26a74940bf0c78204933c3bdd6a283eb88 Mon Sep 17 00:00:00 2001
	2	From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
	3	Date: Thu, 18 Jul 2024 13:19:34 +0200
	4	Subject: [PATCH] [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in
	5	urlize and urlizetrunc template filters.
	6
	7	Thanks to MProgrammer for the report.
	8
	9	CVE: CVE-2024-41990
	10
	11	Upstream-Status: Backport [https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88]
	12
	13	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
	14	---
	15	django/utils/html.py \| 18 ++++++++----------
	16	tests/utils_tests/test_html.py \| 2 ++
	17	2 files changed, 10 insertions(+), 10 deletions(-)
	18
	19	diff --git a/django/utils/html.py b/django/utils/html.py
	20	index f1b74ab..84e157d 100644
	21	--- a/django/utils/html.py
	22	+++ b/django/utils/html.py
	23	@@ -315,7 +315,11 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
	24	trimmed_something = True
	25	counts[closing] -= strip
	26
	27	- rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
	28	+ amp = middle.rfind("&")
	29	+ if amp == -1:
	30	+ rstripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS)
	31	+ else:
	32	+ rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon())
	33	if rstripped != middle:
	34	trail = middle[len(rstripped) :] + trail
	35	middle = rstripped
	36	@@ -323,15 +327,9 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
	37
	38	if trailing_punctuation_chars_has_semicolon() and middle.endswith(";"):
	39	# Only strip if not part of an HTML entity.
	40	- amp = middle.rfind("&")
	41	- if amp == -1:
	42	- can_strip = True
	43	- else:
	44	- potential_entity = middle[amp:]
	45	- escaped = unescape(potential_entity)
	46	- can_strip = (escaped == potential_entity) or escaped.endswith(";")
	47	-
	48	- if can_strip:
	49	+ potential_entity = middle[amp:]
	50	+ escaped = unescape(potential_entity)
	51	+ if escaped == potential_entity or escaped.endswith(";"):
	52	rstripped = middle.rstrip(";")
	53	amount_stripped = len(middle) - len(rstripped)
	54	if amp > -1 and amount_stripped > 1:
	55	diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
	56	index 715c1c6..5abab8d 100644
	57	--- a/tests/utils_tests/test_html.py
	58	+++ b/tests/utils_tests/test_html.py
	59	@@ -274,6 +274,8 @@ class TestUtilsHtml(SimpleTestCase):
	60	"[(" * 100_000 + ":" + ")]" * 100_000,
	61	"([[" * 100_000 + ":" + "]])" * 100_000,
	62	"&:" + ";" * 100_000,
	63	+ "&.;" * 100_000,
	64	+ ".;" * 100_000,
	65	)
	66	for value in tests:
	67	with self.subTest(value=value):
	68	--
	69	2.40.0