From 9c95e8fec62153f8dfcc45a70b8a68d74333a66f Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Tue, 26 Sep 2023 10:23:30 +0000 Subject: [PATCH] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com> CVE: CVE-2023-41164 Upstream-Status: Backport [https://github.com/django/django/commit/3f41d6d62929dfe53eda8109b3b836f26645bdce] Signed-off-by: Narpat Mali --- django/utils/encoding.py | 6 ++++-- docs/releases/2.2.28.txt | 9 +++++++++ tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++- 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/django/utils/encoding.py b/django/utils/encoding.py index 98da647..3769702 100644 --- a/django/utils/encoding.py +++ b/django/utils/encoding.py @@ -225,6 +225,7 @@ def repercent_broken_unicode(path): repercent-encode any octet produced that is not part of a strictly legal UTF-8 octet sequence. """ + changed_parts = [] while True: try: path.decode() @@ -232,9 +233,10 @@ def repercent_broken_unicode(path): # CVE-2019-14235: A recursion shouldn't be used since the exception # handling uses massive amounts of memory repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") - path = path[:e.start] + force_bytes(repercent) + path[e.end:] + changed_parts.append(path[: e.start] + repercent.encode()) + path = path[e.end :] else: - return path + return b"".join(changed_parts) + path def filepath_to_uri(path): diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt index ab4884b..40eb230 100644 --- a/docs/releases/2.2.28.txt +++ b/docs/releases/2.2.28.txt @@ -47,3 +47,12 @@ CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator`` and ``URLValidator`` were subject to potential regular expression denial of service attack via a very large number of domain name labels of emails and URLs. + +Backporting the CVE-2023-41164 fix on Django 2.2.28. + +CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` +=================================================================================================== + +``django.utils.encoding.uri_to_iri()`` was subject to potential denial of +service attack via certain inputs with a very large number of Unicode +characters. diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py index ea7ba5f..93a3162 100644 --- a/tests/utils_tests/test_encoding.py +++ b/tests/utils_tests/test_encoding.py @@ -1,8 +1,9 @@ import datetime +import inspect import sys import unittest from unittest import mock -from urllib.parse import quote_plus +from urllib.parse import quote, quote_plus from django.test import SimpleTestCase from django.utils.encoding import ( @@ -100,6 +101,24 @@ class TestEncodingUtils(SimpleTestCase): except RecursionError: self.fail('Unexpected RecursionError raised.') + def test_repercent_broken_unicode_small_fragments(self): + data = b"test\xfctest\xfctest\xfc" + decoded_paths = [] + + def mock_quote(*args, **kwargs): + # The second frame is the call to repercent_broken_unicode(). + decoded_paths.append(inspect.currentframe().f_back.f_locals["path"]) + return quote(*args, **kwargs) + + with mock.patch("django.utils.encoding.quote", mock_quote): + self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC") + + # decode() is called on smaller fragment of the path each time. + self.assertEqual( + decoded_paths, + [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"], + ) + class TestRFC3987IEncodingUtils(unittest.TestCase): -- 2.40.0