From 496f226ab99b78289c89174df89ee8b4de90704c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=96=87=E9=91=AB?= <wx02272781@alibaba-inc.com>
Date: Tue, 10 Jun 2025 14:58:40 +0800
Subject: [PATCH] Fix CVE-2024-53907

---
 0001-fix-CVE-2024-53907.patch | 88 +++++++++++++++++++++++++++++++++++
 python-django.spec            |  8 +++-
 2 files changed, 95 insertions(+), 1 deletion(-)
 create mode 100644 0001-fix-CVE-2024-53907.patch

diff --git a/0001-fix-CVE-2024-53907.patch b/0001-fix-CVE-2024-53907.patch
new file mode 100644
index 0000000..0f4d966
--- /dev/null
+++ b/0001-fix-CVE-2024-53907.patch
@@ -0,0 +1,88 @@
+From 790eb058b0716c536a2f2e8d1c6d5079d776c22b Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Wed, 13 Nov 2024 15:06:23 +0100
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in
+ strip_tags().
+
+Origin: https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b
+
+Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
+for the reviews.
+---
+ django/utils/html.py           | 10 ++++++++--
+ tests/utils_tests/test_html.py |  7 +++++++
+ 3 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/django/utils/html.py b/django/utils/html.py
+index df38c2051994..a3a7238cba44 100644
+--- a/django/utils/html.py
++++ b/django/utils/html.py
+@@ -6,6 +6,7 @@
+ from html.parser import HTMLParser
+ from urllib.parse import parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit
+ 
++from django.core.exceptions import SuspiciousOperation
+ from django.utils.encoding import punycode
+ from django.utils.functional import Promise, cached_property, keep_lazy, keep_lazy_text
+ from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
+@@ -14,6 +15,7 @@
+ from django.utils.text import normalize_newlines
+ 
+ MAX_URL_LENGTH = 2048
++MAX_STRIP_TAGS_DEPTH = 50
+ 
+ 
+ @keep_lazy(SafeString)
+@@ -172,15 +174,19 @@ def _strip_once(value):
+ @keep_lazy_text
+ def strip_tags(value):
+     """Return the given HTML with all tags stripped."""
+-    # Note: in typical case this loop executes _strip_once once. Loop condition
+-    # is redundant, but helps to reduce number of executions of _strip_once.
+     value = str(value)
++    # Note: in typical case this loop executes _strip_once twice (the second
++    # execution does not remove any more tags).
++    strip_tags_depth = 0
+     while "<" in value and ">" in value:
++        if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
++            raise SuspiciousOperation
+         new_value = _strip_once(value)
+         if value.count("<") == new_value.count("<"):
+             # _strip_once wasn't able to detect more tags.
+             break
+         value = new_value
++        strip_tags_depth += 1
+     return value
+ 
+ 
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 7ff5020fb6d3..579bb2a1e359 100644
+--- a/tests/utils_tests/test_html.py
++++ b/tests/utils_tests/test_html.py
+@@ -1,6 +1,7 @@
+ import os
+ from datetime import datetime
+ 
++from django.core.exceptions import SuspiciousOperation
+ from django.core.serializers.json import DjangoJSONEncoder
+ from django.test import SimpleTestCase
+ from django.utils.functional import lazystr
+@@ -113,12 +114,18 @@ def test_strip_tags(self):
+             ("<script>alert()</script>&h", "alert()h"),
+             ("><!" + ("&" * 16000) + "D", "><!" + ("&" * 16000) + "D"),
+             ("X<<<<br>br>br>br>X", "XX"),
++            ("<" * 50 + "a>" * 50, ""),
+         )
+         for value, output in items:
+             with self.subTest(value=value, output=output):
+                 self.check_output(strip_tags, value, output)
+                 self.check_output(strip_tags, lazystr(value), output)
+ 
++    def test_strip_tags_suspicious_operation(self):
++        value = "<" * 51 + "a>" * 51, "<a>"
++        with self.assertRaises(SuspiciousOperation):
++            strip_tags(value)
++
+     def test_strip_tags_files(self):
+         # Test with more lengthy content (also catching performance regressions)
+         for filename in ("strip_tags1.html", "strip_tags2.txt"):
diff --git a/python-django.spec b/python-django.spec
index db791d8..875f163 100644
--- a/python-django.spec
+++ b/python-django.spec
@@ -1,4 +1,4 @@
-%define anolis_release 1
+%define anolis_release 2
 %global pkgname Django
 
 Name:           python-django
@@ -13,6 +13,9 @@ Source:         %{pypi_source %{pkgname} %{version}}
 
 BuildArch:      noarch
 
+# https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b
+Patch0001:    0001-fix-CVE-2024-53907.patch
+
 %global _description %{expand:
 Django is a high-level Python Web framework that encourages rapid
 development and a clean, pragmatic design. It focuses on automating as
@@ -172,6 +175,9 @@ cd tests
 
 
 %changelog
+* Tue Jun 10 2025 wenxin <wx02272781@alibaba-inc.com> - 4.2.16-2
+- Fix CVE-2024-53907
+
 * Mon Nov 25 2024 yangxinyu <yangxinyu@nfschina.com> - 4.2.16-1
 - update to 4.2.16
 
-- 
Gitee