From 4e8fa78778944fa005ee94a7346a4d0d9e2c7405 Mon Sep 17 00:00:00 2001 From: Soumya Sambu Date: Fri, 10 Jan 2025 13:17:58 +0000 Subject: python3-django: Fix CVE-2024-41990 An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2.15. The urlize() and urlizetrunc() template filters are subject to a potential denial-of-service attack via very large inputs with a specific sequence of characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41990 Upstream-patch: https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88 Signed-off-by: Soumya Sambu Signed-off-by: Armin Kuster --- .../python/python3-django/CVE-2024-41990.patch | 69 ++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch (limited to 'meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch') diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch new file mode 100644 index 0000000000..f4be195200 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-41990.patch @@ -0,0 +1,69 @@ +From d0a82e26a74940bf0c78204933c3bdd6a283eb88 Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Thu, 18 Jul 2024 13:19:34 +0200 +Subject: [PATCH] [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in + urlize and urlizetrunc template filters. + +Thanks to MProgrammer for the report. + +CVE: CVE-2024-41990 + +Upstream-Status: Backport [https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88] + +Signed-off-by: Soumya Sambu +--- + django/utils/html.py | 18 ++++++++---------- + tests/utils_tests/test_html.py | 2 ++ + 2 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/django/utils/html.py b/django/utils/html.py +index f1b74ab..84e157d 100644 +--- a/django/utils/html.py ++++ b/django/utils/html.py +@@ -315,7 +315,11 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): + trimmed_something = True + counts[closing] -= strip + +- rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon()) ++ amp = middle.rfind("&") ++ if amp == -1: ++ rstripped = middle.rstrip(TRAILING_PUNCTUATION_CHARS) ++ else: ++ rstripped = middle.rstrip(trailing_punctuation_chars_no_semicolon()) + if rstripped != middle: + trail = middle[len(rstripped) :] + trail + middle = rstripped +@@ -323,15 +327,9 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False): + + if trailing_punctuation_chars_has_semicolon() and middle.endswith(";"): + # Only strip if not part of an HTML entity. +- amp = middle.rfind("&") +- if amp == -1: +- can_strip = True +- else: +- potential_entity = middle[amp:] +- escaped = unescape(potential_entity) +- can_strip = (escaped == potential_entity) or escaped.endswith(";") +- +- if can_strip: ++ potential_entity = middle[amp:] ++ escaped = unescape(potential_entity) ++ if escaped == potential_entity or escaped.endswith(";"): + rstripped = middle.rstrip(";") + amount_stripped = len(middle) - len(rstripped) + if amp > -1 and amount_stripped > 1: +diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py +index 715c1c6..5abab8d 100644 +--- a/tests/utils_tests/test_html.py ++++ b/tests/utils_tests/test_html.py +@@ -274,6 +274,8 @@ class TestUtilsHtml(SimpleTestCase): + "[(" * 100_000 + ":" + ")]" * 100_000, + "([[" * 100_000 + ":" + "]])" * 100_000, + "&:" + ";" * 100_000, ++ "&.;" * 100_000, ++ ".;" * 100_000, + ) + for value in tests: + with self.subTest(value=value): +-- +2.40.0 -- cgit v1.2.3-54-g00ecf