From fcd1a433c47c0cc735b87ff24c2673f87cf8ade8 Mon Sep 17 00:00:00 2001 From: shopyou Date: Wed, 17 Jul 2024 12:03:24 +0800 Subject: [PATCH] - [Type] security - [DESC] Resolves: CVE-2024-27351 --- python-django-3.2.24-CVE-2024-27351.patch | 120 ++++++++++++++++++++++ python-django.spec | 7 +- 2 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 python-django-3.2.24-CVE-2024-27351.patch diff --git a/python-django-3.2.24-CVE-2024-27351.patch b/python-django-3.2.24-CVE-2024-27351.patch new file mode 100644 index 0000000..aedc085 --- /dev/null +++ b/python-django-3.2.24-CVE-2024-27351.patch @@ -0,0 +1,120 @@ +From 072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 Mon Sep 17 00:00:00 2001 +From: Shai Berger +Date: Mon, 19 Feb 2024 13:56:37 +0100 +Subject: [PATCH] [3.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in + Truncator.words(). + +Thanks Seokchan Yoon for the report. + +Co-Authored-By: Mariusz Felisiak +--- + django/utils/text.py | 57 ++++++++++++++++++++++++++++++++-- + tests/utils_tests/test_text.py | 26 ++++++++++++++++ + 2 files changed, 82 insertions(+), 2 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 83e258fa81c..88da9a2c2c6 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -18,8 +18,61 @@ def capfirst(x): + return x and str(x)[0].upper() + str(x)[1:] + + +-# Set up regular expressions +-re_words = _lazy_re_compile(r'<[^>]+?>|([^<>\s]+)', re.S) ++# ----- Begin security-related performance workaround ----- ++ ++# We used to have, below ++# ++# re_words = _lazy_re_compile(r"<[^>]+?>|([^<>\s]+)", re.S) ++# ++# But it was shown that this regex, in the way we use it here, has some ++# catastrophic edge-case performance features. Namely, when it is applied to ++# text with only open brackets "<<<...". The class below provides the services ++# and correct answers for the use cases, but in these edge cases does it much ++# faster. ++re_notag = _lazy_re_compile(r"([^<>\s]+)", re.S) ++re_prt = _lazy_re_compile(r"<|([^<>\s]+)", re.S) ++ ++ ++class WordsRegex: ++ @staticmethod ++ def search(text, pos): ++ # Look for "<" or a non-tag word. ++ partial = re_prt.search(text, pos) ++ if partial is None or partial[1] is not None: ++ return partial ++ ++ # "<" was found, look for a closing ">". ++ end = text.find(">", partial.end(0)) ++ if end < 0: ++ # ">" cannot be found, look for a word. ++ return re_notag.search(text, pos + 1) ++ else: ++ # "<" followed by a ">" was found -- fake a match. ++ end += 1 ++ return FakeMatch(text[partial.start(0): end], end) ++ ++ ++class FakeMatch: ++ __slots__ = ["_text", "_end"] ++ ++ def end(self, group=0): ++ assert group == 0, "This specific object takes only group=0" ++ return self._end ++ ++ def __getitem__(self, group): ++ if group == 1: ++ return None ++ assert group == 0, "This specific object takes only group in {0,1}" ++ return self._text ++ ++ def __init__(self, text, end): ++ self._text, self._end = text, end ++ ++ ++# ----- End security-related performance workaround ----- ++ ++# Set up regular expressions. ++re_words = WordsRegex + re_chars = _lazy_re_compile(r'<[^>]+?>|(.)', re.S) + re_tag = _lazy_re_compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S) + re_newlines = _lazy_re_compile(r'\r\n|\r') # Used in normalize_newlines + +diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py +index 0a6f0bc3f26..758919c66e8 100644 +--- a/tests/utils_tests/test_text.py ++++ b/tests/utils_tests/test_text.py +@@ -159,6 +159,32 @@ def test_truncate_html_words(self): + truncator = text.Truncator('

I <3 python, what about you?

') + self.assertEqual('

I <3 python,…

', truncator.words(3, html=True)) + ++ # Only open brackets. ++ test = "<" * 60_000 ++ truncator = text.Truncator(test) ++ self.assertEqual(truncator.words(1, html=True), test) ++ ++ # Tags with special chars in attrs. ++ truncator = text.Truncator( ++ """Hello, my dear lady!""" ++ ) ++ self.assertEqual( ++ """Hello, my dear…""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Tags with special non-latin chars in attrs. ++ truncator = text.Truncator("""

Hello, my dear lady!

""") ++ self.assertEqual( ++ """

Hello, my dear…

""", ++ truncator.words(3, html=True), ++ ) ++ ++ # Misplaced brackets. ++ truncator = text.Truncator("hello >< world") ++ self.assertEqual(truncator.words(1, html=True), "hello…") ++ self.assertEqual(truncator.words(2, html=True), "hello >< world") ++ + @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) + def test_truncate_words_html_size_limit(self): + max_len = text.Truncator.MAX_LENGTH_HTML diff --git a/python-django.spec b/python-django.spec index 21ce3ff..002374f 100644 --- a/python-django.spec +++ b/python-django.spec @@ -4,7 +4,7 @@ Summary: A high-level Python Web framework Name: python-django Version: 3.2.24 -Release: 1%{?dist} +Release: 2%{?dist} License: BSD URL: https://www.djangoproject.com/ Source0: https://github.com/django/django/archive/refs/tags/django-%{version}.tar.gz @@ -12,6 +12,7 @@ Source0: https://github.com/django/django/archive/refs/tags/django-%{vers Patch001: 0001-python-3.10-compatibility-disable-failing-tests.patch Patch002: 0002-Remove-failing-test.patch Patch003: 0003-3.2.24-oc-patch.patch +Patch004: python-django-3.2.24-CVE-2024-27351.patch BuildArch: noarch @@ -124,6 +125,10 @@ python3 runtests.py --settings=test_sqlite --verbosity=2 --parallel 1 %changelog +* Tue Jul 16 2024 Shop You - 3.2.24-2 +- [Type] security +- [DESC] Resolves: CVE-2024-27351 + * Sun Apr 07 2024 Shop You - 3.2.24-1 - Upgrade to version 3.2.24 -- Gitee