python3-django: Fix for CVE-2023-43665 and CVE-2023-46695

CVE-2023-43665: In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232. CVE-2023-46695: An issue was discovered in Django 3.2 before 3.2.23, 4.1 before 4.1.13, and 4.2 before 4.2.7. The NFKC normalization is slow on Windows. As a consequence, django.contrib.auth.forms.UsernameField is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters. References: https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ https://www.djangoproject.com/weblog/2023/nov/01/security-releases/ Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Narpat Mali <narpat.mali@windriver.com> 2023-11-30 12:23:37 +0000
committer: Armin Kuster <akuster808@gmail.com> 2024-01-12 07:14:16 -0500
commit: fee55605480b07337a6dc953a848f6a7e31f9a85 (patch)
tree: 46a564fd1a53649a739671e154694320d43a44c9 /meta-python/recipes-devtools/python/python3-django
parent: 8a042b540db5421785edcf21d5114be6358246fd (diff)
download: meta-openembedded-fee55605480b07337a6dc953a848f6a7e31f9a85.tar.gz
2 files changed, 289 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch
new file mode 100644
index 0000000000..dbfb9b68a8
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch
@@ -0,0 +1,199 @@
+From b269a0063e9b10a6c88c92b24d1b92c7421950de Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Wed, 29 Nov 2023 12:20:01 +0000
+Subject: [PATCH 1/2] Fixed CVE-2023-43665 -- Mitigated potential DoS in
+ django.utils.text.Truncator when truncating HTML text.
+Thanks Wenchao Li of Alibaba Group for the report.
+CVE: CVE-2023-43665
+Upstream-Status: Backport [https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ django/utils/text.py            | 18 ++++++++++++++++-
+ docs/ref/templates/builtins.txt | 20 +++++++++++++++++++
+ docs/releases/2.2.28.txt        | 20 +++++++++++++++++++
+ tests/utils_tests/test_text.py  | 35 ++++++++++++++++++++++++---------
+ 4 files changed, 83 insertions(+), 10 deletions(-)
+diff --git a/django/utils/text.py b/django/utils/text.py
+index 1fae7b2..06a377b 100644
+--- a/django/utils/text.py
+++ b/django/utils/text.py
+@@ -57,7 +57,14 @@ def wrap(text, width):
+ class Truncator(SimpleLazyObject):
+     """
+     An object used to truncate text, either by characters or words.
+
+    When truncating HTML text (either chars or words), input will be limited to
+    at most `MAX_LENGTH_HTML` characters.
+     """
+
+    # 5 million characters are approximately 4000 text pages or 3 web pages.
+    MAX_LENGTH_HTML = 5_000_000
+
+     def __init__(self, text):
+         super().__init__(lambda: str(text))
+@@ -154,6 +161,11 @@ class Truncator(SimpleLazyObject):
+         if words and length <= 0:
+             return ''
+        size_limited = False
+        if len(text) > self.MAX_LENGTH_HTML:
+            text = text[: self.MAX_LENGTH_HTML]
+            size_limited = True
+
+         html4_singlets = (
+             'br', 'col', 'link', 'base', 'img',
+             'param', 'area', 'hr', 'input'
+@@ -203,10 +215,14 @@ class Truncator(SimpleLazyObject):
+                 # Add it to the start of the open tags list
+                 open_tags.insert(0, tagname)
+        truncate_text = self.add_truncation_text("", truncate)
+
+         if current_len <= length:
+            if size_limited and truncate_text:
+                text += truncate_text
+             return text
+
+         out = text[:end_text_pos]
+-        truncate_text = self.add_truncation_text('', truncate)
+         if truncate_text:
+             out += truncate_text
+         # Close any tags still open
+diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
+index c4b0fa3..4faab38 100644
+--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
+@@ -2318,6 +2318,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
+ Newlines in the HTML content will be preserved.
+.. admonition:: Size of input string
+
+    Processing large, potentially malformed HTML strings can be
+    resource-intensive and impact service performance. ``truncatechars_html``
+    limits input to the first five million characters.
+
+.. versionchanged:: 2.2.28
+
+    In older versions, strings over five million characters were processed.
+
+ .. templatefilter:: truncatewords
+ ``truncatewords``
+@@ -2356,6 +2366,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
+ Newlines in the HTML content will be preserved.
+.. admonition:: Size of input string
+
+    Processing large, potentially malformed HTML strings can be
+    resource-intensive and impact service performance. ``truncatewords_html``
+    limits input to the first five million characters.
+
+.. versionchanged:: 2.2.28
+
+    In older versions, strings over five million characters were processed.
+
+ .. templatefilter:: unordered_list
+ ``unordered_list``
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 40eb230..6a38e9c 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -56,3 +56,23 @@ CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.enco
+ ``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
+ service attack via certain inputs with a very large number of Unicode
+ characters.
+
+Backporting the CVE-2023-43665 fix on Django 2.2.28.
+
+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+Following the fix for :cve:`2019-14232`, the regular expressions used in the
+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
+methods (with ``html=True``) were revised and improved. However, these regular
+expressions still exhibited linear backtracking complexity, so when given a
+very long, potentially malformed HTML input, the evaluation would still be
+slow, leading to a potential denial of service vulnerability.
+
+The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus also vulnerable.
+
+The input processed by ``Truncator``, when operating in HTML mode, has been
+limited to the first five million characters in order to avoid potential
+performance and memory issues.
+diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
+index 27e440b..cb3063d 100644
+--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
+@@ -1,5 +1,6 @@
+ import json
+ import sys
+from unittest.mock import patch
+ from django.core.exceptions import SuspiciousFileOperation
+ from django.test import SimpleTestCase
+@@ -87,11 +88,17 @@ class TestUtilsText(SimpleTestCase):
+         # lazy strings are handled correctly
+         self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…')
+-    def test_truncate_chars_html(self):
+    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
+    def test_truncate_chars_html_size_limit(self):
+        max_len = text.Truncator.MAX_LENGTH_HTML
+        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+        valid_html = "<p>Joel is a slug</p>"  # 14 chars
+         perf_test_values = [
+-            (('</a' + '\t' * 50000) + '//>', None),
+-            ('&' * 50000, '&' * 9 + '…'),
+-            ('_X<<<<<<<<<<<>', None),
+            ("</a" + "\t" * (max_len - 6) + "//>", None),
+            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"),
+            ("&" * bigger_len, "&" * 9 + "…"),
+            ("_X<<<<<<<<<<<>", None),
+            (valid_html * bigger_len, "<p>Joel is a…</p>"),  # 10 chars
+         ]
+         for value, expected in perf_test_values:
+             with self.subTest(value=value):
+@@ -149,15 +156,25 @@ class TestUtilsText(SimpleTestCase):
+         truncator = text.Truncator('<p>I &lt;3 python, what about you?</p>')
+         self.assertEqual('<p>I &lt;3 python,…</p>', truncator.words(3, html=True))
+    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
+    def test_truncate_words_html_size_limit(self):
+        max_len = text.Truncator.MAX_LENGTH_HTML
+        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+        valid_html = "<p>Joel is a slug</p>"  # 4 words
+         perf_test_values = [
+-            ('</a' + '\t' * 50000) + '//>',
+-            '&' * 50000,
+-            '_X<<<<<<<<<<<>',
+            ("</a" + "\t" * (max_len - 6) + "//>", None),
+            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"),
+            ("&" * max_len, None),  # no change
+            ("&" * bigger_len, "&" * max_len + "…"),
+            ("_X<<<<<<<<<<<>", None),
+            (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"),  # 50 words
+         ]
+-        for value in perf_test_values:
+        for value, expected in perf_test_values:
+             with self.subTest(value=value):
+                 truncator = text.Truncator(value)
+-                self.assertEqual(value, truncator.words(50, html=True))
+                self.assertEqual(
+                    expected if expected else value, truncator.words(50, html=True)
+                )
+     def test_wrap(self):
+         digits = '1234 67 9'
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
new file mode 100644
index 0000000000..b7dda41f8f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
@@ -0,0 +1,90 @@
+From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Wed, 29 Nov 2023 12:49:41 +0000
+Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
+ UsernameField on Windows.
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+CVE: CVE-2023-46695
+Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ django/contrib/auth/forms.py   | 10 +++++++++-
+ docs/releases/2.2.28.txt       | 14 ++++++++++++++
+ tests/auth_tests/test_forms.py |  8 +++++++-
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index e6f73fe..26d3ca7 100644
+--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
+@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
+ class UsernameField(forms.CharField):
+     def to_python(self, value):
+-        return unicodedata.normalize('NFKC', super().to_python(value))
+        value = super().to_python(value)
+        if self.max_length is not None and len(value) > self.max_length:
+            # Normalization can increase the string length (e.g.
+            # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+            # point in normalizing invalid data. Moreover, Unicode
+            # normalization is very slow on Windows and can be a DoS attack
+            # vector.
+            return value
+        return unicodedata.normalize("NFKC", value)
+ class UserCreationForm(forms.ModelForm):
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 6a38e9c..c653cb6 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
+ The input processed by ``Truncator``, when operating in HTML mode, has been
+ limited to the first five million characters in order to avoid potential
+ performance and memory issues.
+
+Backporting the CVE-2023-46695 fix on Django 2.2.28.
+
+CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
+=========================================================================================
+
+The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
+subject to a potential denial of service attack via certain inputs with a very
+large number of Unicode characters.
+
+In order to avoid the vulnerability, invalid values longer than
+``UsernameField.max_length`` are no longer normalized, since they cannot pass
+validation anyway.
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index bed23af..e73d4b8 100644
+--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
+@@ -6,7 +6,7 @@ from django import forms
+ from django.contrib.auth.forms import (
+     AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
+     PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
+-    SetPasswordForm, UserChangeForm, UserCreationForm,
+    SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
+ )
+ from django.contrib.auth.models import User
+ from django.contrib.auth.signals import user_login_failed
+@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
+         self.assertNotEqual(user.username, ohm_username)
+         self.assertEqual(user.username, 'testΩ')  # U+03A9 GREEK CAPITAL LETTER OMEGA
+    def test_invalid_username_no_normalize(self):
+        field = UsernameField(max_length=254)
+        # Usernames are not normalized if they are too long.
+        self.assertEqual(field.to_python("½" * 255), "½" * 255)
+        self.assertEqual(field.to_python("ﬀ" * 254), "ff" * 254)
+
+     def test_duplicate_normalized_unicode(self):
+         """
+         To prevent almost identical usernames, visually identical but differing
+--
+2.40.0
author	Narpat Mali <narpat.mali@windriver.com>	2023-11-30 12:23:37 +0000
committer	Armin Kuster <akuster808@gmail.com>	2024-01-12 07:14:16 -0500
commit	fee55605480b07337a6dc953a848f6a7e31f9a85 (patch)
tree	46a564fd1a53649a739671e154694320d43a44c9 /meta-python/recipes-devtools/python/python3-django
parent	8a042b540db5421785edcf21d5114be6358246fd (diff)
download	meta-openembedded-fee55605480b07337a6dc953a848f6a7e31f9a85.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch new file mode 100644 index 0000000000..dbfb9b68a8 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch
@@ -0,0 +1,199 @@
	1	From b269a0063e9b10a6c88c92b24d1b92c7421950de Mon Sep 17 00:00:00 2001
	2	From: Natalia <124304+nessita@users.noreply.github.com>
	3	Date: Wed, 29 Nov 2023 12:20:01 +0000
	4	Subject: [PATCH 1/2] Fixed CVE-2023-43665 -- Mitigated potential DoS in
	5	django.utils.text.Truncator when truncating HTML text.
	6
	7	Thanks Wenchao Li of Alibaba Group for the report.
	8
	9	CVE: CVE-2023-43665
	10
	11	Upstream-Status: Backport [https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5]
	12
	13	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
	14	---
	15	django/utils/text.py \| 18 ++++++++++++++++-
	16	docs/ref/templates/builtins.txt \| 20 +++++++++++++++++++
	17	docs/releases/2.2.28.txt \| 20 +++++++++++++++++++
	18	tests/utils_tests/test_text.py \| 35 ++++++++++++++++++++++++---------
	19	4 files changed, 83 insertions(+), 10 deletions(-)
	20
	21	diff --git a/django/utils/text.py b/django/utils/text.py
	22	index 1fae7b2..06a377b 100644
	23	--- a/django/utils/text.py
	24	+++ b/django/utils/text.py
	25	@@ -57,7 +57,14 @@ def wrap(text, width):
	26	class Truncator(SimpleLazyObject):
	27	"""
	28	An object used to truncate text, either by characters or words.
	29	+
	30	+ When truncating HTML text (either chars or words), input will be limited to
	31	+ at most `MAX_LENGTH_HTML` characters.
	32	"""
	33	+
	34	+ # 5 million characters are approximately 4000 text pages or 3 web pages.
	35	+ MAX_LENGTH_HTML = 5_000_000
	36	+
	37	def __init__(self, text):
	38	super().__init__(lambda: str(text))
	39
	40	@@ -154,6 +161,11 @@ class Truncator(SimpleLazyObject):
	41	if words and length <= 0:
	42	return ''
	43
	44	+ size_limited = False
	45	+ if len(text) > self.MAX_LENGTH_HTML:
	46	+ text = text[: self.MAX_LENGTH_HTML]
	47	+ size_limited = True
	48	+
	49	html4_singlets = (
	50	'br', 'col', 'link', 'base', 'img',
	51	'param', 'area', 'hr', 'input'
	52	@@ -203,10 +215,14 @@ class Truncator(SimpleLazyObject):
	53	# Add it to the start of the open tags list
	54	open_tags.insert(0, tagname)
	55
	56	+ truncate_text = self.add_truncation_text("", truncate)
	57	+
	58	if current_len <= length:
	59	+ if size_limited and truncate_text:
	60	+ text += truncate_text
	61	return text
	62	+
	63	out = text[:end_text_pos]
	64	- truncate_text = self.add_truncation_text('', truncate)
	65	if truncate_text:
	66	out += truncate_text
	67	# Close any tags still open
	68	diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
	69	index c4b0fa3..4faab38 100644
	70	--- a/docs/ref/templates/builtins.txt
	71	+++ b/docs/ref/templates/builtins.txt
	72	@@ -2318,6 +2318,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
	73
	74	Newlines in the HTML content will be preserved.
	75
	76	+.. admonition:: Size of input string
	77	+
	78	+ Processing large, potentially malformed HTML strings can be
	79	+ resource-intensive and impact service performance. ``truncatechars_html``
	80	+ limits input to the first five million characters.
	81	+
	82	+.. versionchanged:: 2.2.28
	83	+
	84	+ In older versions, strings over five million characters were processed.
	85	+
	86	.. templatefilter:: truncatewords
	87
	88	``truncatewords``
	89	@@ -2356,6 +2366,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
	90
	91	Newlines in the HTML content will be preserved.
	92
	93	+.. admonition:: Size of input string
	94	+
	95	+ Processing large, potentially malformed HTML strings can be
	96	+ resource-intensive and impact service performance. ``truncatewords_html``
	97	+ limits input to the first five million characters.
	98	+
	99	+.. versionchanged:: 2.2.28
	100	+
	101	+ In older versions, strings over five million characters were processed.
	102	+
	103	.. templatefilter:: unordered_list
	104
	105	``unordered_list``
	106	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
	107	index 40eb230..6a38e9c 100644
	108	--- a/docs/releases/2.2.28.txt
	109	+++ b/docs/releases/2.2.28.txt
	110	@@ -56,3 +56,23 @@ CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.enco
	111	``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
	112	service attack via certain inputs with a very large number of Unicode
	113	characters.
	114	+
	115	+Backporting the CVE-2023-43665 fix on Django 2.2.28.
	116	+
	117	+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
	118	+================================================================================
	119	+
	120	+Following the fix for :cve:`2019-14232`, the regular expressions used in the
	121	+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
	122	+methods (with ``html=True``) were revised and improved. However, these regular
	123	+expressions still exhibited linear backtracking complexity, so when given a
	124	+very long, potentially malformed HTML input, the evaluation would still be
	125	+slow, leading to a potential denial of service vulnerability.
	126	+
	127	+The ``chars()`` and ``words()`` methods are used to implement the
	128	+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
	129	+filters, which were thus also vulnerable.
	130	+
	131	+The input processed by ``Truncator``, when operating in HTML mode, has been
	132	+limited to the first five million characters in order to avoid potential
	133	+performance and memory issues.
	134	diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
	135	index 27e440b..cb3063d 100644
	136	--- a/tests/utils_tests/test_text.py
	137	+++ b/tests/utils_tests/test_text.py
	138	@@ -1,5 +1,6 @@
	139	import json
	140	import sys
	141	+from unittest.mock import patch
	142
	143	from django.core.exceptions import SuspiciousFileOperation
	144	from django.test import SimpleTestCase
	145	@@ -87,11 +88,17 @@ class TestUtilsText(SimpleTestCase):
	146	# lazy strings are handled correctly
	147	self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…')
	148
	149	- def test_truncate_chars_html(self):
	150	+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
	151	+ def test_truncate_chars_html_size_limit(self):
	152	+ max_len = text.Truncator.MAX_LENGTH_HTML
	153	+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
	154	+ valid_html = "<p>Joel is a slug</p>" # 14 chars
	155	perf_test_values = [
	156	- (('</a' + '\t' * 50000) + '//>', None),
	157	- ('&' * 50000, '&' * 9 + '…'),
	158	- ('_X<<<<<<<<<<<>', None),
	159	+ ("</a" + "\t" * (max_len - 6) + "//>", None),
	160	+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"),
	161	+ ("&" * bigger_len, "&" * 9 + "…"),
	162	+ ("_X<<<<<<<<<<<>", None),
	163	+ (valid_html * bigger_len, "<p>Joel is a…</p>"), # 10 chars
	164	]
	165	for value, expected in perf_test_values:
	166	with self.subTest(value=value):
	167	@@ -149,15 +156,25 @@ class TestUtilsText(SimpleTestCase):
	168	truncator = text.Truncator('<p>I <3 python, what about you?</p>')
	169	self.assertEqual('<p>I <3 python,…</p>', truncator.words(3, html=True))
	170
	171	+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
	172	+ def test_truncate_words_html_size_limit(self):
	173	+ max_len = text.Truncator.MAX_LENGTH_HTML
	174	+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
	175	+ valid_html = "<p>Joel is a slug</p>" # 4 words
	176	perf_test_values = [
	177	- ('</a' + '\t' * 50000) + '//>',
	178	- '&' * 50000,
	179	- '_X<<<<<<<<<<<>',
	180	+ ("</a" + "\t" * (max_len - 6) + "//>", None),
	181	+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"),
	182	+ ("&" * max_len, None), # no change
	183	+ ("&" * bigger_len, "&" * max_len + "…"),
	184	+ ("_X<<<<<<<<<<<>", None),
	185	+ (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"), # 50 words
	186	]
	187	- for value in perf_test_values:
	188	+ for value, expected in perf_test_values:
	189	with self.subTest(value=value):
	190	truncator = text.Truncator(value)
	191	- self.assertEqual(value, truncator.words(50, html=True))
	192	+ self.assertEqual(
	193	+ expected if expected else value, truncator.words(50, html=True)
	194	+ )
	195
	196	def test_wrap(self):
	197	digits = '1234 67 9'
	198	--
	199	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch new file mode 100644 index 0000000000..b7dda41f8f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
@@ -0,0 +1,90 @@
	1	From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
	2	From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
	3	Date: Wed, 29 Nov 2023 12:49:41 +0000
	4	Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
	5	UsernameField on Windows.
	6
	7	Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
	8
	9	CVE: CVE-2023-46695
	10
	11	Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
	12
	13	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
	14	---
	15	django/contrib/auth/forms.py \| 10 +++++++++-
	16	docs/releases/2.2.28.txt \| 14 ++++++++++++++
	17	tests/auth_tests/test_forms.py \| 8 +++++++-
	18	3 files changed, 30 insertions(+), 2 deletions(-)
	19
	20	diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
	21	index e6f73fe..26d3ca7 100644
	22	--- a/django/contrib/auth/forms.py
	23	+++ b/django/contrib/auth/forms.py
	24	@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
	25
	26	class UsernameField(forms.CharField):
	27	def to_python(self, value):
	28	- return unicodedata.normalize('NFKC', super().to_python(value))
	29	+ value = super().to_python(value)
	30	+ if self.max_length is not None and len(value) > self.max_length:
	31	+ # Normalization can increase the string length (e.g.
	32	+ # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
	33	+ # point in normalizing invalid data. Moreover, Unicode
	34	+ # normalization is very slow on Windows and can be a DoS attack
	35	+ # vector.
	36	+ return value
	37	+ return unicodedata.normalize("NFKC", value)
	38
	39
	40	class UserCreationForm(forms.ModelForm):
	41	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
	42	index 6a38e9c..c653cb6 100644
	43	--- a/docs/releases/2.2.28.txt
	44	+++ b/docs/releases/2.2.28.txt
	45	@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
	46	The input processed by ``Truncator``, when operating in HTML mode, has been
	47	limited to the first five million characters in order to avoid potential
	48	performance and memory issues.
	49	+
	50	+Backporting the CVE-2023-46695 fix on Django 2.2.28.
	51	+
	52	+CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
	53	+=========================================================================================
	54	+
	55	+The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
	56	+Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
	57	+subject to a potential denial of service attack via certain inputs with a very
	58	+large number of Unicode characters.
	59	+
	60	+In order to avoid the vulnerability, invalid values longer than
	61	+``UsernameField.max_length`` are no longer normalized, since they cannot pass
	62	+validation anyway.
	63	diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
	64	index bed23af..e73d4b8 100644
	65	--- a/tests/auth_tests/test_forms.py
	66	+++ b/tests/auth_tests/test_forms.py
	67	@@ -6,7 +6,7 @@ from django import forms
	68	from django.contrib.auth.forms import (
	69	AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
	70	PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
	71	- SetPasswordForm, UserChangeForm, UserCreationForm,
	72	+ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
	73	)
	74	from django.contrib.auth.models import User
	75	from django.contrib.auth.signals import user_login_failed
	76	@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
	77	self.assertNotEqual(user.username, ohm_username)
	78	self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA
	79
	80	+ def test_invalid_username_no_normalize(self):
	81	+ field = UsernameField(max_length=254)
	82	+ # Usernames are not normalized if they are too long.
	83	+ self.assertEqual(field.to_python("½" * 255), "½" * 255)
	84	+ self.assertEqual(field.to_python("ﬀ" * 254), "ff" * 254)
	85	+
	86	def test_duplicate_normalized_unicode(self):
	87	"""
	88	To prevent almost identical usernames, visually identical but differing
	89	--
	90	2.40.0