python3-django: (v2.2.28) fix ipv6 validation

This patch is only for python3-django_2.2.28. The URL validator didn't detect invalid IPv6 addresses, treating them as correct ones, making a testcase fail. (Also, according to the comment, it could also crash in some cases, though I haven't encountered that) This backported patch mitigates this behavior. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-15 09:29:12 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-16 08:41:29 +0100
commit: 4b5afd0ea72ba411c972a2da903eb2553e61e495 (patch)
tree: 0295c1da6a38809d5e48f14dc1b801dfd1968aa6 /meta-python/recipes-devtools
parent: 5e11a2eba710d0d277f56a4f48e93e9b0f6cf5fa (diff)
download: meta-openembedded-4b5afd0ea72ba411c972a2da903eb2553e61e495.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch b/meta-python/recipes-devtools/python/python3-django/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch
new file mode 100644
index 0000000000..549e761ec3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch
@@ -0,0 +1,57 @@
+From 065b10e2757af671f3e64f0c8714e6f2e4eca727 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 15 Dec 2021 11:55:19 -0300
+Subject: [PATCH] Fixed #33367 -- Fixed URLValidator crash in some edge cases.
+From: mendespedro <windowsxpedro@gmail.com>
+Upstream-Status: Backport [https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ django/core/validators.py | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+diff --git a/django/core/validators.py b/django/core/validators.py
+index 94cc3bf..03cd9b8 100644
+--- a/django/core/validators.py
+++ b/django/core/validators.py
+@@ -120,15 +120,17 @@ class URLValidator(RegexValidator):
+             raise ValidationError(self.message, code=self.code)
+ 
+         # Then check full URL
+        
+        try:
+            splitted_url = urlsplit(value)
+        except ValueError:
+            raise ValidationError(self.message, code=self.code, params={'value': value})
+         try:
+             super().__call__(value)
+         except ValidationError as e:
+             # Trivial case failed. Try for possible IDN domain
+             if value:
+-                try:
+-                    scheme, netloc, path, query, fragment = urlsplit(value)
+-                except ValueError:  # for example, "Invalid IPv6 URL"
+-                    raise ValidationError(self.message, code=self.code)
+                scheme, netloc, path, query, fragment = splitted_url
+                 try:
+                     netloc = netloc.encode('idna').decode('ascii')  # IDN -> ACE
+                 except UnicodeError:  # invalid domain part
+@@ -139,7 +141,7 @@ class URLValidator(RegexValidator):
+                 raise
+         else:
+             # Now verify IPv6 in the netloc part
+-            host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc)
+            host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc)
+             if host_match:
+                 potential_ip = host_match.groups()[0]
+                 try:
+@@ -151,7 +153,7 @@ class URLValidator(RegexValidator):
+         # section 3.1. It's defined to be 255 bytes or less, but this includes
+         # one byte for the length of the name and one byte for the trailing dot
+         # that's used to indicate absolute names in DNS.
+-        if len(urlsplit(value).hostname) > 253:
+        if splitted_url.hostname is None or len(splitted_url.hostname) > 253:
+             raise ValidationError(self.message, code=self.code)
+ 
+ 
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index bf7e182aba..0f6f8fc4d0 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -38,6 +38,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://0001-implement-group-method-for-FakeMatch.patch \
            file://0001-fix-ipv6-test.patch \
            file://0001-Fixed-32298-Fixed-URLValidator-hostname-length-valid.patch \
+            file://0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch \
            "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-15 09:29:12 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-16 08:41:29 +0100
commit	4b5afd0ea72ba411c972a2da903eb2553e61e495 (patch)
tree	0295c1da6a38809d5e48f14dc1b801dfd1968aa6 /meta-python/recipes-devtools
parent	5e11a2eba710d0d277f56a4f48e93e9b0f6cf5fa (diff)
download	meta-openembedded-4b5afd0ea72ba411c972a2da903eb2553e61e495.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch b/meta-python/recipes-devtools/python/python3-django/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch new file mode 100644 index 0000000000..549e761ec3 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch
@@ -0,0 +1,57 @@
		1	From 065b10e2757af671f3e64f0c8714e6f2e4eca727 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Wed, 15 Dec 2021 11:55:19 -0300
		4	Subject: [PATCH] Fixed #33367 -- Fixed URLValidator crash in some edge cases.
		5
		6	From: mendespedro <windowsxpedro@gmail.com>
		7
		8	Upstream-Status: Backport [https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c]
		9	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		10	---
		11	django/core/validators.py \| 14 ++++++++------
		12	1 file changed, 8 insertions(+), 6 deletions(-)
		13
		14	diff --git a/django/core/validators.py b/django/core/validators.py
		15	index 94cc3bf..03cd9b8 100644
		16	--- a/django/core/validators.py
		17	+++ b/django/core/validators.py
		18	@@ -120,15 +120,17 @@ class URLValidator(RegexValidator):
		19	raise ValidationError(self.message, code=self.code)
		20
		21	# Then check full URL
		22	+
		23	+ try:
		24	+ splitted_url = urlsplit(value)
		25	+ except ValueError:
		26	+ raise ValidationError(self.message, code=self.code, params={'value': value})
		27	try:
		28	super().__call__(value)
		29	except ValidationError as e:
		30	# Trivial case failed. Try for possible IDN domain
		31	if value:
		32	- try:
		33	- scheme, netloc, path, query, fragment = urlsplit(value)
		34	- except ValueError: # for example, "Invalid IPv6 URL"
		35	- raise ValidationError(self.message, code=self.code)
		36	+ scheme, netloc, path, query, fragment = splitted_url
		37	try:
		38	netloc = netloc.encode('idna').decode('ascii') # IDN -> ACE
		39	except UnicodeError: # invalid domain part
		40	@@ -139,7 +141,7 @@ class URLValidator(RegexValidator):
		41	raise
		42	else:
		43	# Now verify IPv6 in the netloc part
		44	- host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc)
		45	+ host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc)
		46	if host_match:
		47	potential_ip = host_match.groups()[0]
		48	try:
		49	@@ -151,7 +153,7 @@ class URLValidator(RegexValidator):
		50	# section 3.1. It's defined to be 255 bytes or less, but this includes
		51	# one byte for the length of the name and one byte for the trailing dot
		52	# that's used to indicate absolute names in DNS.
		53	- if len(urlsplit(value).hostname) > 253:
		54	+ if splitted_url.hostname is None or len(splitted_url.hostname) > 253:
		55	raise ValidationError(self.message, code=self.code)
		56
		57


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index bf7e182aba..0f6f8fc4d0 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -38,6 +38,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
38	file://0001-implement-group-method-for-FakeMatch.patch \	38	file://0001-implement-group-method-for-FakeMatch.patch \
39	file://0001-fix-ipv6-test.patch \	39	file://0001-fix-ipv6-test.patch \
40	file://0001-Fixed-32298-Fixed-URLValidator-hostname-length-valid.patch \	40	file://0001-Fixed-32298-Fixed-URLValidator-hostname-length-valid.patch \
		41	file://0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch \
41	"	42	"
42		43
43	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	44	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"