From c473671472a71ed5871e2da61ef812c3d2df27ec Mon Sep 17 00:00:00 2001 From: wseelly Date: Sat, 21 Jun 2025 10:04:07 +0800 Subject: [PATCH 1/5] fix:CVE-2025-26699 --- python-django-5.0.8-CVE-2025-26699.patch | 61 ++++++++++++++++++++++++ python-django.spec | 7 ++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 python-django-5.0.8-CVE-2025-26699.patch diff --git a/python-django-5.0.8-CVE-2025-26699.patch b/python-django-5.0.8-CVE-2025-26699.patch new file mode 100644 index 0000000..d2e5905 --- /dev/null +++ b/python-django-5.0.8-CVE-2025-26699.patch @@ -0,0 +1,61 @@ +diff --git a/django/utils/text.py b/django/utils/text.py +index 36ab6a9efc..281dd10caf 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -107,6 +107,7 @@ def wrap(text, width): + for line in text.splitlines(True): + result.extend(wrapper.wrap(line)) + return "\n".join(result) ++<<<<<<< HEAD + + + def add_truncation_text(text, truncate=None): +@@ -123,6 +124,8 @@ def add_truncation_text(text, truncate=None): + # in this. + return text + return f"{text}{truncate}" ++======= ++>>>>>>> e88f7376fe ([4.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter.) + + + class Truncator(SimpleLazyObject): +diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt +new file mode 100644 +index 0000000000..164bc08de2 +--- /dev/null ++++ b/docs/releases/5.1.7.txt +@@ -0,0 +1,34 @@ ++========================== ++Django 5.1.7 release notes ++========================== ++ ++*March 6, 2025* ++ ++Django 5.1.7 fixes a security issue with severity "moderate" and several bugs ++in 5.1.6. ++ ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= ++ ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. ++ ++Bugfixes ++======== ++ ++* Fixed a bug in Django 5.1 where the ``{% querystring %}`` template tag ++ returned an empty string rather than ``"?"`` when all parameters had been ++ removed from the query string (:ticket:`36182`). ++ ++* Fixed a bug in Django 5.1 where ``FileSystemStorage``, with ++ ``allow_overwrite`` set to ``True``, did not truncate the overwritten file ++ content (:ticket:`36191`). ++ ++* Fixed a regression in Django 5.1 where the ``count`` and ``exists`` methods ++ of ``ManyToManyField`` related managers would always return ``0`` and ++ ``False`` when the intermediary model back references used ``to_field`` ++ (:ticket:`36197`). ++ ++* Fixed a regression in Django 5.1 where the ``pre_save`` and ``post_save`` ++ signals for ``LogEntry`` were not sent when deleting a single object in the ++ admin (:ticket:`36217`). diff --git a/python-django.spec b/python-django.spec index bd9040d..86bfdfc 100644 --- a/python-django.spec +++ b/python-django.spec @@ -4,7 +4,7 @@ Summary: A high-level Python Web framework Name: python-django Version: 5.0.8 -Release: 3%{?dist} +Release: 4%{?dist} License: BSD URL: https://www.djangoproject.com/ Source0: https://github.com/django/django/archive/refs/tags/%{version}.tar.gz @@ -13,6 +13,7 @@ Patch001: python-django-5.0.8-CVE-2024-45230.patch Patch002: python-django-5.0.8-CVE-2024-45231.patch Patch003: python-django-5.0.8-CVE-2024-53907.patch Patch004: python-django-5.0.8-CVE-2024-53908.patch +patch005: python-django-5.0.8-CVE-2025-26699.patch BuildArch: noarch @@ -122,6 +123,10 @@ python3 runtests.py --settings=test_sqlite --verbosity=2 --parallel 1 %changelog +* Sat Jun 21 2025 Wseelly - 5.0.8-4 +- [Type] security +- [DESC] Resolves: CVE-2025-26699 + * Thu Dec 12 2024 Shop You - 5.0.8-3 - [Type] security - [DESC] Resolves: CVE-2024-45230 CVE-2024-45231 CVE-2024-53908 CVE-2024-53907 -- Gitee From e943ccffa3781c287ff28138b5b9a2186529f4a9 Mon Sep 17 00:00:00 2001 From: wseelly Date: Sat, 21 Jun 2025 10:26:33 +0800 Subject: [PATCH 2/5] fix:conflict --- python-django-5.0.8-CVE-2025-26699.patch | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/python-django-5.0.8-CVE-2025-26699.patch b/python-django-5.0.8-CVE-2025-26699.patch index d2e5905..207a57f 100644 --- a/python-django-5.0.8-CVE-2025-26699.patch +++ b/python-django-5.0.8-CVE-2025-26699.patch @@ -6,17 +6,12 @@ index 36ab6a9efc..281dd10caf 100644 for line in text.splitlines(True): result.extend(wrapper.wrap(line)) return "\n".join(result) -+<<<<<<< HEAD - - - def add_truncation_text(text, truncate=None): + @@ -123,6 +124,8 @@ def add_truncation_text(text, truncate=None): # in this. return text return f"{text}{truncate}" -+======= -+>>>>>>> e88f7376fe ([4.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter.) - + class Truncator(SimpleLazyObject): diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt -- Gitee From ce4d0191d12e2066c33faf5ea5b27507c8a08b12 Mon Sep 17 00:00:00 2001 From: wseelly Date: Sat, 21 Jun 2025 11:07:57 +0800 Subject: [PATCH 3/5] fix:patch --- python-django-5.0.8-CVE-2025-26699.patch | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/python-django-5.0.8-CVE-2025-26699.patch b/python-django-5.0.8-CVE-2025-26699.patch index 207a57f..75fa5ca 100644 --- a/python-django-5.0.8-CVE-2025-26699.patch +++ b/python-django-5.0.8-CVE-2025-26699.patch @@ -1,19 +1,3 @@ -diff --git a/django/utils/text.py b/django/utils/text.py -index 36ab6a9efc..281dd10caf 100644 ---- a/django/utils/text.py -+++ b/django/utils/text.py -@@ -107,6 +107,7 @@ def wrap(text, width): - for line in text.splitlines(True): - result.extend(wrapper.wrap(line)) - return "\n".join(result) - -@@ -123,6 +124,8 @@ def add_truncation_text(text, truncate=None): - # in this. - return text - return f"{text}{truncate}" - - - class Truncator(SimpleLazyObject): diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt new file mode 100644 index 0000000000..164bc08de2 -- Gitee From 017a6466f9069959e4928ea6d034d650b4712ed7 Mon Sep 17 00:00:00 2001 From: wseelly Date: Tue, 24 Jun 2025 17:13:25 +0800 Subject: [PATCH 4/5] fix:update patch --- python-django-5.0.8-CVE-2025-26699.patch | 398 +++++++++++++++++++++-- 1 file changed, 373 insertions(+), 25 deletions(-) diff --git a/python-django-5.0.8-CVE-2025-26699.patch b/python-django-5.0.8-CVE-2025-26699.patch index 75fa5ca..8226713 100644 --- a/python-django-5.0.8-CVE-2025-26699.patch +++ b/python-django-5.0.8-CVE-2025-26699.patch @@ -1,40 +1,388 @@ +From 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Tue, 25 Feb 2025 09:40:54 +0100 +Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap + template filter. + +Thanks sw0rd1ight for the report. +--- + django/utils/text.py | 28 +++++++------------ + docs/releases/4.2.20.txt | 6 ++++ + docs/releases/5.0.13.txt | 6 ++++ + docs/releases/5.1.7.txt | 6 ++++ + .../filter_tests/test_wordwrap.py | 11 ++++++++ + 5 files changed, 39 insertions(+), 18 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index bad8f2f2da..05b781b011 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -1,6 +1,7 @@ + import gzip + import re + import secrets ++import textwrap + import unicodedata + from collections import deque + from gzip import GzipFile +@@ -49,24 +50,15 @@ def wrap(text, width): + ``width``. + """ + +- def _generator(): +- for line in text.splitlines(True): # True keeps trailing linebreaks +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- while len(line) > max_width: +- space = line[: max_width + 1].rfind(" ") + 1 +- if space == 0: +- space = line.find(" ") + 1 +- if space == 0: +- yield line +- line = "" +- break +- yield "%s\n" % line[: space - 1] +- line = line[space:] +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- if line: +- yield line +- +- return "".join(_generator()) ++ wrapper = textwrap.TextWrapper( ++ width=width, ++ break_long_words=False, ++ break_on_hyphens=False, ++ ) ++ result = [] ++ for line in text.splitlines(True): ++ result.extend(wrapper.wrap(line)) ++ return "\n".join(result) + + + def add_truncation_text(text, truncate=None): +diff --git a/docs/releases/4.2.20.txt b/docs/releases/4.2.20.txt +index c71fa05f43..5849fe2a42 100644 +--- a/docs/releases/4.2.20.txt ++++ b/docs/releases/4.2.20.txt +@@ -5,3 +5,9 @@ Django 4.2.20 release notes + *March 6, 2025* + + Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19. ++ ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= ++ ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. +diff --git a/docs/releases/5.0.13.txt b/docs/releases/5.0.13.txt +index 27dc3c2f60..ebb0de252a 100644 +--- a/docs/releases/5.0.13.txt ++++ b/docs/releases/5.0.13.txt +@@ -5,3 +5,9 @@ Django 5.0.13 release notes + *March 6, 2025* + + Django 5.0.13 fixes a security issue with severity "moderate" in 5.0.12. ++ ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= ++ ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. +diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt +index 77e89d9c27..164bc08de2 100644 +--- a/docs/releases/5.1.7.txt ++++ b/docs/releases/5.1.7.txt +@@ -7,6 +7,12 @@ Django 5.1.7 release notes + Django 5.1.7 fixes a security issue with severity "moderate" and several bugs + in 5.1.6. + ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= ++ ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. ++ + Bugfixes + ======== + +diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py +index 88fbd274da..4afa1dd234 100644 +--- a/tests/template_tests/filter_tests/test_wordwrap.py ++++ b/tests/template_tests/filter_tests/test_wordwrap.py +@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): + "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" + "I'm afraid", + ) ++ ++ def test_wrap_long_text(self): ++ long_text = ( ++ "this is a long paragraph of text that really needs" ++ " to be wrapped I'm afraid " * 20_000 ++ ) ++ self.assertIn( ++ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n" ++ "I'm afraid", ++ wordwrap(long_text, 10), ++ ) +-- +2.35.1.windows.2 + +From 3cfa472644d4ce764d84fed739177b5765ea4b8a Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Tue, 25 Feb 2025 09:40:54 +0100 +Subject: [PATCH] [5.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in + wordwrap template filter. + +Thanks sw0rd1ight for the report. + +Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. +--- + django/utils/text.py | 28 +++++++------------ + docs/releases/4.2.20.txt | 6 ++++ + docs/releases/5.0.13.txt | 6 ++++ + docs/releases/5.1.7.txt | 6 ++++ + .../filter_tests/test_wordwrap.py | 11 ++++++++ + 5 files changed, 39 insertions(+), 18 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index bad8f2f2da..05b781b011 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -1,6 +1,7 @@ + import gzip + import re + import secrets ++import textwrap + import unicodedata + from collections import deque + from gzip import GzipFile +@@ -49,24 +50,15 @@ def wrap(text, width): + ``width``. + """ + +- def _generator(): +- for line in text.splitlines(True): # True keeps trailing linebreaks +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- while len(line) > max_width: +- space = line[: max_width + 1].rfind(" ") + 1 +- if space == 0: +- space = line.find(" ") + 1 +- if space == 0: +- yield line +- line = "" +- break +- yield "%s\n" % line[: space - 1] +- line = line[space:] +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- if line: +- yield line +- +- return "".join(_generator()) ++ wrapper = textwrap.TextWrapper( ++ width=width, ++ break_long_words=False, ++ break_on_hyphens=False, ++ ) ++ result = [] ++ for line in text.splitlines(True): ++ result.extend(wrapper.wrap(line)) ++ return "\n".join(result) + + + def add_truncation_text(text, truncate=None): +diff --git a/docs/releases/4.2.20.txt b/docs/releases/4.2.20.txt +index c71fa05f43..5849fe2a42 100644 +--- a/docs/releases/4.2.20.txt ++++ b/docs/releases/4.2.20.txt +@@ -5,3 +5,9 @@ Django 4.2.20 release notes + *March 6, 2025* + + Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19. ++ ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= ++ ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. +diff --git a/docs/releases/5.0.13.txt b/docs/releases/5.0.13.txt +index 27dc3c2f60..ebb0de252a 100644 +--- a/docs/releases/5.0.13.txt ++++ b/docs/releases/5.0.13.txt +@@ -5,3 +5,9 @@ Django 5.0.13 release notes + *March 6, 2025* + + Django 5.0.13 fixes a security issue with severity "moderate" in 5.0.12. ++ ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= ++ ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt -new file mode 100644 -index 0000000000..164bc08de2 ---- /dev/null +index 77e89d9c27..164bc08de2 100644 +--- a/docs/releases/5.1.7.txt +++ b/docs/releases/5.1.7.txt -@@ -0,0 +1,34 @@ -+========================== -+Django 5.1.7 release notes -+========================== +@@ -7,6 +7,12 @@ Django 5.1.7 release notes + Django 5.1.7 fixes a security issue with severity "moderate" and several bugs + in 5.1.6. + ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= ++ ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. + -+*March 6, 2025* + Bugfixes + ======== + +diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py +index 88fbd274da..4afa1dd234 100644 +--- a/tests/template_tests/filter_tests/test_wordwrap.py ++++ b/tests/template_tests/filter_tests/test_wordwrap.py +@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): + "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" + "I'm afraid", + ) + -+Django 5.1.7 fixes a security issue with severity "moderate" and several bugs -+in 5.1.6. ++ def test_wrap_long_text(self): ++ long_text = ( ++ "this is a long paragraph of text that really needs" ++ " to be wrapped I'm afraid " * 20_000 ++ ) ++ self.assertIn( ++ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n" ++ "I'm afraid", ++ wordwrap(long_text, 10), ++ ) +-- +2.35.1.windows.2 + +From 8dbb44d34271637099258391dfc79df33951b841 Mon Sep 17 00:00:00 2001 +From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> +Date: Tue, 25 Feb 2025 09:40:54 +0100 +Subject: [PATCH] [5.1.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in + wordwrap template filter. + +Thanks sw0rd1ight for the report. + +Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. +--- + django/utils/text.py | 28 +++++++------------ + docs/releases/4.2.20.txt | 6 ++++ + docs/releases/5.0.13.txt | 6 ++++ + docs/releases/5.1.7.txt | 6 ++++ + .../filter_tests/test_wordwrap.py | 11 ++++++++ + 5 files changed, 39 insertions(+), 18 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index bad8f2f2da..05b781b011 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -1,6 +1,7 @@ + import gzip + import re + import secrets ++import textwrap + import unicodedata + from collections import deque + from gzip import GzipFile +@@ -49,24 +50,15 @@ def wrap(text, width): + ``width``. + """ + +- def _generator(): +- for line in text.splitlines(True): # True keeps trailing linebreaks +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- while len(line) > max_width: +- space = line[: max_width + 1].rfind(" ") + 1 +- if space == 0: +- space = line.find(" ") + 1 +- if space == 0: +- yield line +- line = "" +- break +- yield "%s\n" % line[: space - 1] +- line = line[space:] +- max_width = min((line.endswith("\n") and width + 1 or width), width) +- if line: +- yield line +- +- return "".join(_generator()) ++ wrapper = textwrap.TextWrapper( ++ width=width, ++ break_long_words=False, ++ break_on_hyphens=False, ++ ) ++ result = [] ++ for line in text.splitlines(True): ++ result.extend(wrapper.wrap(line)) ++ return "\n".join(result) + + + def add_truncation_text(text, truncate=None): +diff --git a/docs/releases/4.2.20.txt b/docs/releases/4.2.20.txt +index c71fa05f43..5849fe2a42 100644 +--- a/docs/releases/4.2.20.txt ++++ b/docs/releases/4.2.20.txt +@@ -5,3 +5,9 @@ Django 4.2.20 release notes + *March 6, 2025* + + Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19. + +CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` +========================================================================================= + +The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a +potential denial-of-service attack when used with very long strings. +diff --git a/docs/releases/5.0.13.txt b/docs/releases/5.0.13.txt +index 27dc3c2f60..ebb0de252a 100644 +--- a/docs/releases/5.0.13.txt ++++ b/docs/releases/5.0.13.txt +@@ -5,3 +5,9 @@ Django 5.0.13 release notes + *March 6, 2025* + + Django 5.0.13 fixes a security issue with severity "moderate" in 5.0.12. + -+Bugfixes -+======== ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= + -+* Fixed a bug in Django 5.1 where the ``{% querystring %}`` template tag -+ returned an empty string rather than ``"?"`` when all parameters had been -+ removed from the query string (:ticket:`36182`). ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. +diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt +index 77e89d9c27..164bc08de2 100644 +--- a/docs/releases/5.1.7.txt ++++ b/docs/releases/5.1.7.txt +@@ -7,6 +7,12 @@ Django 5.1.7 release notes + Django 5.1.7 fixes a security issue with severity "moderate" and several bugs + in 5.1.6. + ++CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` ++========================================================================================= + -+* Fixed a bug in Django 5.1 where ``FileSystemStorage``, with -+ ``allow_overwrite`` set to ``True``, did not truncate the overwritten file -+ content (:ticket:`36191`). ++The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a ++potential denial-of-service attack when used with very long strings. + -+* Fixed a regression in Django 5.1 where the ``count`` and ``exists`` methods -+ of ``ManyToManyField`` related managers would always return ``0`` and -+ ``False`` when the intermediary model back references used ``to_field`` -+ (:ticket:`36197`). + Bugfixes + ======== + +diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py +index 88fbd274da..4afa1dd234 100644 +--- a/tests/template_tests/filter_tests/test_wordwrap.py ++++ b/tests/template_tests/filter_tests/test_wordwrap.py +@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): + "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" + "I'm afraid", + ) + -+* Fixed a regression in Django 5.1 where the ``pre_save`` and ``post_save`` -+ signals for ``LogEntry`` were not sent when deleting a single object in the -+ admin (:ticket:`36217`). ++ def test_wrap_long_text(self): ++ long_text = ( ++ "this is a long paragraph of text that really needs" ++ " to be wrapped I'm afraid " * 20_000 ++ ) ++ self.assertIn( ++ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n" ++ "I'm afraid", ++ wordwrap(long_text, 10), ++ ) +-- +2.35.1.windows.2 + -- Gitee From 7254a402a27703ec370c41c41b45705cd37ab42f Mon Sep 17 00:00:00 2001 From: wseelly Date: Wed, 25 Jun 2025 00:20:07 +0800 Subject: [PATCH 5/5] fix:update patch --- python-django-5.0.8-CVE-2025-26699.patch | 325 +---------------------- 1 file changed, 8 insertions(+), 317 deletions(-) diff --git a/python-django-5.0.8-CVE-2025-26699.patch b/python-django-5.0.8-CVE-2025-26699.patch index 8226713..170c43a 100644 --- a/python-django-5.0.8-CVE-2025-26699.patch +++ b/python-django-5.0.8-CVE-2025-26699.patch @@ -1,265 +1,7 @@ -From 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b Mon Sep 17 00:00:00 2001 +From 4f2765232336b8ad0afd8017d9d912ae93470017 Mon Sep 17 00:00:00 2001 From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:40:54 +0100 -Subject: [PATCH] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap - template filter. - -Thanks sw0rd1ight for the report. ---- - django/utils/text.py | 28 +++++++------------ - docs/releases/4.2.20.txt | 6 ++++ - docs/releases/5.0.13.txt | 6 ++++ - docs/releases/5.1.7.txt | 6 ++++ - .../filter_tests/test_wordwrap.py | 11 ++++++++ - 5 files changed, 39 insertions(+), 18 deletions(-) - -diff --git a/django/utils/text.py b/django/utils/text.py -index bad8f2f2da..05b781b011 100644 ---- a/django/utils/text.py -+++ b/django/utils/text.py -@@ -1,6 +1,7 @@ - import gzip - import re - import secrets -+import textwrap - import unicodedata - from collections import deque - from gzip import GzipFile -@@ -49,24 +50,15 @@ def wrap(text, width): - ``width``. - """ - -- def _generator(): -- for line in text.splitlines(True): # True keeps trailing linebreaks -- max_width = min((line.endswith("\n") and width + 1 or width), width) -- while len(line) > max_width: -- space = line[: max_width + 1].rfind(" ") + 1 -- if space == 0: -- space = line.find(" ") + 1 -- if space == 0: -- yield line -- line = "" -- break -- yield "%s\n" % line[: space - 1] -- line = line[space:] -- max_width = min((line.endswith("\n") and width + 1 or width), width) -- if line: -- yield line -- -- return "".join(_generator()) -+ wrapper = textwrap.TextWrapper( -+ width=width, -+ break_long_words=False, -+ break_on_hyphens=False, -+ ) -+ result = [] -+ for line in text.splitlines(True): -+ result.extend(wrapper.wrap(line)) -+ return "\n".join(result) - - - def add_truncation_text(text, truncate=None): -diff --git a/docs/releases/4.2.20.txt b/docs/releases/4.2.20.txt -index c71fa05f43..5849fe2a42 100644 ---- a/docs/releases/4.2.20.txt -+++ b/docs/releases/4.2.20.txt -@@ -5,3 +5,9 @@ Django 4.2.20 release notes - *March 6, 2025* - - Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19. -+ -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -diff --git a/docs/releases/5.0.13.txt b/docs/releases/5.0.13.txt -index 27dc3c2f60..ebb0de252a 100644 ---- a/docs/releases/5.0.13.txt -+++ b/docs/releases/5.0.13.txt -@@ -5,3 +5,9 @@ Django 5.0.13 release notes - *March 6, 2025* - - Django 5.0.13 fixes a security issue with severity "moderate" in 5.0.12. -+ -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt -index 77e89d9c27..164bc08de2 100644 ---- a/docs/releases/5.1.7.txt -+++ b/docs/releases/5.1.7.txt -@@ -7,6 +7,12 @@ Django 5.1.7 release notes - Django 5.1.7 fixes a security issue with severity "moderate" and several bugs - in 5.1.6. - -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -+ - Bugfixes - ======== - -diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py -index 88fbd274da..4afa1dd234 100644 ---- a/tests/template_tests/filter_tests/test_wordwrap.py -+++ b/tests/template_tests/filter_tests/test_wordwrap.py -@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): - "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" - "I'm afraid", - ) -+ -+ def test_wrap_long_text(self): -+ long_text = ( -+ "this is a long paragraph of text that really needs" -+ " to be wrapped I'm afraid " * 20_000 -+ ) -+ self.assertIn( -+ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n" -+ "I'm afraid", -+ wordwrap(long_text, 10), -+ ) --- -2.35.1.windows.2 - -From 3cfa472644d4ce764d84fed739177b5765ea4b8a Mon Sep 17 00:00:00 2001 -From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> -Date: Tue, 25 Feb 2025 09:40:54 +0100 -Subject: [PATCH] [5.2.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in - wordwrap template filter. - -Thanks sw0rd1ight for the report. - -Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. ---- - django/utils/text.py | 28 +++++++------------ - docs/releases/4.2.20.txt | 6 ++++ - docs/releases/5.0.13.txt | 6 ++++ - docs/releases/5.1.7.txt | 6 ++++ - .../filter_tests/test_wordwrap.py | 11 ++++++++ - 5 files changed, 39 insertions(+), 18 deletions(-) - -diff --git a/django/utils/text.py b/django/utils/text.py -index bad8f2f2da..05b781b011 100644 ---- a/django/utils/text.py -+++ b/django/utils/text.py -@@ -1,6 +1,7 @@ - import gzip - import re - import secrets -+import textwrap - import unicodedata - from collections import deque - from gzip import GzipFile -@@ -49,24 +50,15 @@ def wrap(text, width): - ``width``. - """ - -- def _generator(): -- for line in text.splitlines(True): # True keeps trailing linebreaks -- max_width = min((line.endswith("\n") and width + 1 or width), width) -- while len(line) > max_width: -- space = line[: max_width + 1].rfind(" ") + 1 -- if space == 0: -- space = line.find(" ") + 1 -- if space == 0: -- yield line -- line = "" -- break -- yield "%s\n" % line[: space - 1] -- line = line[space:] -- max_width = min((line.endswith("\n") and width + 1 or width), width) -- if line: -- yield line -- -- return "".join(_generator()) -+ wrapper = textwrap.TextWrapper( -+ width=width, -+ break_long_words=False, -+ break_on_hyphens=False, -+ ) -+ result = [] -+ for line in text.splitlines(True): -+ result.extend(wrapper.wrap(line)) -+ return "\n".join(result) - - - def add_truncation_text(text, truncate=None): -diff --git a/docs/releases/4.2.20.txt b/docs/releases/4.2.20.txt -index c71fa05f43..5849fe2a42 100644 ---- a/docs/releases/4.2.20.txt -+++ b/docs/releases/4.2.20.txt -@@ -5,3 +5,9 @@ Django 4.2.20 release notes - *March 6, 2025* - - Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19. -+ -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -diff --git a/docs/releases/5.0.13.txt b/docs/releases/5.0.13.txt -index 27dc3c2f60..ebb0de252a 100644 ---- a/docs/releases/5.0.13.txt -+++ b/docs/releases/5.0.13.txt -@@ -5,3 +5,9 @@ Django 5.0.13 release notes - *March 6, 2025* - - Django 5.0.13 fixes a security issue with severity "moderate" in 5.0.12. -+ -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt -index 77e89d9c27..164bc08de2 100644 ---- a/docs/releases/5.1.7.txt -+++ b/docs/releases/5.1.7.txt -@@ -7,6 +7,12 @@ Django 5.1.7 release notes - Django 5.1.7 fixes a security issue with severity "moderate" and several bugs - in 5.1.6. - -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -+ - Bugfixes - ======== - -diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py -index 88fbd274da..4afa1dd234 100644 ---- a/tests/template_tests/filter_tests/test_wordwrap.py -+++ b/tests/template_tests/filter_tests/test_wordwrap.py -@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): - "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" - "I'm afraid", - ) -+ -+ def test_wrap_long_text(self): -+ long_text = ( -+ "this is a long paragraph of text that really needs" -+ " to be wrapped I'm afraid " * 20_000 -+ ) -+ self.assertIn( -+ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n" -+ "I'm afraid", -+ wordwrap(long_text, 10), -+ ) --- -2.35.1.windows.2 - -From 8dbb44d34271637099258391dfc79df33951b841 Mon Sep 17 00:00:00 2001 -From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> -Date: Tue, 25 Feb 2025 09:40:54 +0100 -Subject: [PATCH] [5.1.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in +Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in wordwrap template filter. Thanks sw0rd1ight for the report. @@ -267,14 +9,11 @@ Thanks sw0rd1ight for the report. Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main. --- django/utils/text.py | 28 +++++++------------ - docs/releases/4.2.20.txt | 6 ++++ - docs/releases/5.0.13.txt | 6 ++++ - docs/releases/5.1.7.txt | 6 ++++ .../filter_tests/test_wordwrap.py | 11 ++++++++ - 5 files changed, 39 insertions(+), 18 deletions(-) + 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/django/utils/text.py b/django/utils/text.py -index bad8f2f2da..05b781b011 100644 +index d992f80dd2fe..36ab6a9efcc9 100644 --- a/django/utils/text.py +++ b/django/utils/text.py @@ -1,6 +1,7 @@ @@ -283,9 +22,9 @@ index bad8f2f2da..05b781b011 100644 import secrets +import textwrap import unicodedata - from collections import deque from gzip import GzipFile -@@ -49,24 +50,15 @@ def wrap(text, width): + from gzip import compress as gzip_compress +@@ -97,24 +98,15 @@ def wrap(text, width): ``width``. """ @@ -319,56 +58,11 @@ index bad8f2f2da..05b781b011 100644 def add_truncation_text(text, truncate=None): -diff --git a/docs/releases/4.2.20.txt b/docs/releases/4.2.20.txt -index c71fa05f43..5849fe2a42 100644 ---- a/docs/releases/4.2.20.txt -+++ b/docs/releases/4.2.20.txt -@@ -5,3 +5,9 @@ Django 4.2.20 release notes - *March 6, 2025* - - Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19. -+ -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -diff --git a/docs/releases/5.0.13.txt b/docs/releases/5.0.13.txt -index 27dc3c2f60..ebb0de252a 100644 ---- a/docs/releases/5.0.13.txt -+++ b/docs/releases/5.0.13.txt -@@ -5,3 +5,9 @@ Django 5.0.13 release notes - *March 6, 2025* - - Django 5.0.13 fixes a security issue with severity "moderate" in 5.0.12. -+ -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -diff --git a/docs/releases/5.1.7.txt b/docs/releases/5.1.7.txt -index 77e89d9c27..164bc08de2 100644 ---- a/docs/releases/5.1.7.txt -+++ b/docs/releases/5.1.7.txt -@@ -7,6 +7,12 @@ Django 5.1.7 release notes - Django 5.1.7 fixes a security issue with severity "moderate" and several bugs - in 5.1.6. - -+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()`` -+========================================================================================= -+ -+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a -+potential denial-of-service attack when used with very long strings. -+ - Bugfixes - ======== - diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py -index 88fbd274da..4afa1dd234 100644 +index 88fbd274da94..4afa1dd234f1 100644 --- a/tests/template_tests/filter_tests/test_wordwrap.py +++ b/tests/template_tests/filter_tests/test_wordwrap.py -@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase): +@@ -78,3 +78,14 @@ def test_wrap_lazy_string(self): "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n" "I'm afraid", ) @@ -383,6 +77,3 @@ index 88fbd274da..4afa1dd234 100644 + "I'm afraid", + wordwrap(long_text, 10), + ) --- -2.35.1.windows.2 - -- Gitee