python3-django: fix CVE-2024-41991

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-41991 Upstream-patch: https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/ Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Saravanan <saravanan.kadambathursubramaniyam@windriver.com> 2025-12-04 19:11:13 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-12-05 15:29:55 +0100
commit: 64e4cf993355aa69f155634c57c73de695eaa50a (patch)
tree: b9cbcdf1b8edc4e924edd8280b2349f43681af55 /meta-python/recipes-devtools
parent: edb07bc11e66526380469d6340e6c1cc802c6d5b (diff)
download: meta-openembedded-64e4cf993355aa69f155634c57c73de695eaa50a.tar.gz
2 files changed, 144 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-41991.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-41991.patch
new file mode 100644
index 0000000000..1531de5b2f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-41991.patch
@@ -0,0 +1,143 @@
+From efea1ef7e2190e3f77ca0651b5458297bc0f6a9f Mon Sep 17 00:00:00 2001
+From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+Date: Wed, 30 Apr 2025 10:34:27 -0400
+Subject: [PATCH] Fixed CVE-2024-41991 -- Prevented potential ReDoS in
+ django.utils.html.urlize() and AdminURLFieldWidget.
+Thanks Seokchan Yoon for the report.
+Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+CVE: CVE-2024-41991
+Upstream-Status: Backport
+https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/contrib/admin/widgets.py |  2 +-
+ django/utils/html.py            | 10 ++++++++--
+ docs/releases/3.2.25.txt        |  7 +++++++
+ tests/admin_widgets/tests.py    |  7 ++++++-
+ tests/utils_tests/test_html.py  | 13 +++++++++++++
+ 5 files changed, 35 insertions(+), 4 deletions(-)
+diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
+index aeb7477..b7dd0d8 100644
+--- a/django/contrib/admin/widgets.py
+++ b/django/contrib/admin/widgets.py
+@@ -339,7 +339,7 @@ class AdminURLFieldWidget(forms.URLInput):
+         context = super().get_context(name, value, attrs)
+         context['current_label'] = _('Currently:')
+         context['change_label'] = _('Change:')
+-        context['widget']['href'] = smart_urlquote(context['widget']['value']) if value else ''
+        context['widget']['href'] = smart_urlquote(context['widget']['value']) if url_valid else ''
+         context['url_valid'] = url_valid
+         return context
+ 
+diff --git a/django/utils/html.py b/django/utils/html.py
+index 3bc02b8..44c6b7b 100644
+--- a/django/utils/html.py
+++ b/django/utils/html.py
+@@ -29,6 +29,8 @@ simple_url_2_re = _lazy_re_compile(
+     re.IGNORECASE
+ )
+ 
+MAX_URL_LENGTH = 2048
+
+ 
+ @keep_lazy(str, SafeString)
+ def escape(text):
+@@ -298,6 +300,10 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
+         except ValueError:
+             # value contains more than one @.
+             return False
+        # Max length for domain name labels is 63 characters per RFC 1034.
+        # Helps to avoid ReDoS vectors in the domain part.
+        if len(p2) > 63:
+            return False
+         # Dot must be in p2 (e.g. example.com)
+         if '.' not in p2 or p2.startswith('.'):
+             return False
+@@ -316,9 +322,9 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
+             # Make URL we want to point to.
+             url = None
+             nofollow_attr = ' rel="nofollow"' if nofollow else ''
+-            if simple_url_re.match(middle):
+            if len(middle) <= MAX_URL_LENGTH and simple_url_re.match(middle):
+                 url = smart_urlquote(html.unescape(middle))
+-            elif simple_url_2_re.match(middle):
+            elif len(middle) <= MAX_URL_LENGTH and simple_url_2_re.match(middle):
+                 url = smart_urlquote('http://%s' % html.unescape(middle))
+             elif ':' not in middle and is_email_simple(middle):
+                 local, domain = middle.rsplit('@', 1)
+diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
+index 60236d5..67dc8a2 100644
+--- a/docs/releases/3.2.25.txt
+++ b/docs/releases/3.2.25.txt
+@@ -59,6 +59,13 @@ directory-traversal via certain inputs when calling :meth:`save()
+ 
+ Built-in ``Storage`` sub-classes were not affected by this vulnerability.
+ 
+CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
+===========================================================================================================
+
+:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
+subject to a potential denial-of-service attack via certain inputs with a very
+large number of Unicode characters.
+
+ Bugfixes
+ ========
+ 
+diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
+index f701f1a..c532199 100644
+--- a/tests/admin_widgets/tests.py
+++ b/tests/admin_widgets/tests.py
+@@ -353,7 +353,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
+ class AdminURLWidgetTest(SimpleTestCase):
+     def test_get_context_validates_url(self):
+         w = widgets.AdminURLFieldWidget()
+-        for invalid in ['', '/not/a/full/url/', 'javascript:alert("Danger XSS!")']:
+        for invalid in [
+            "",
+            "/not/a/full/url/",
+            'javascript:alert("Danger XSS!")',
+            "http://" + "한.글." * 1_000_000 + "com",
+        ]:
+             with self.subTest(url=invalid):
+                 self.assertFalse(w.get_context('name', invalid, {})['url_valid'])
+         self.assertTrue(w.get_context('name', 'http://example.com', {})['url_valid'])
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 30f5ba6..93458ac 100644
+--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
+@@ -255,6 +255,15 @@ class TestUtilsHtml(SimpleTestCase):
+                 'Search for <a href="http://google.com/?q=">google.com/?q=</a>!'
+             ),
+             ('foo@example.com', '<a href="mailto:foo@example.com">foo@example.com</a>'),
+            (
+                "test@" + "한.글." * 15 + "aaa",
+                '<a href="mailto:test@'
+                + "xn--6q8b.xn--bj0b." * 15
+                + 'aaa">'
+                + "test@"
+                + "한.글." * 15
+                + "aaa</a>",
+            ),
+         )
+         for value, output in tests:
+             with self.subTest(value=value):
+@@ -263,6 +272,10 @@ class TestUtilsHtml(SimpleTestCase):
+     def test_urlize_unchanged_inputs(self):
+         tests = (
+             ('a' + '@a' * 50000) + 'a',  # simple_email_re catastrophic test
+            # Unicode domain catastrophic tests.
+            "a@" + "한.글." * 1_000_000 + "a",
+            "http://" + "한.글." * 1_000_000 + "com",
+            "www." + "한.글." * 1_000_000 + "com",
+             ('a' + '.' * 1000000) + 'a',  # trailing_punctuation catastrophic test
+             'foo@',
+             '@foo.com',
+-- 
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
index 2d94b2109c..c5d97ae482 100644
--- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
+++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -12,6 +12,7 @@ SRC_URI += "\
       file://CVE-2025-57833.patch \
       file://CVE-2024-39329.patch \
       file://CVE-2024-39330.patch \
+       file://CVE-2024-41991.patch \
 "
 # Set DEFAULT_PREFERENCE so that the LTS version of django is built by
author	Saravanan <saravanan.kadambathursubramaniyam@windriver.com>	2025-12-04 19:11:13 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-12-05 15:29:55 +0100
commit	64e4cf993355aa69f155634c57c73de695eaa50a (patch)
tree	b9cbcdf1b8edc4e924edd8280b2349f43681af55 /meta-python/recipes-devtools
parent	edb07bc11e66526380469d6340e6c1cc802c6d5b (diff)
download	meta-openembedded-64e4cf993355aa69f155634c57c73de695eaa50a.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-41991.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-41991.patch new file mode 100644 index 0000000000..1531de5b2f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-41991.patch
@@ -0,0 +1,143 @@
		1	From efea1ef7e2190e3f77ca0651b5458297bc0f6a9f Mon Sep 17 00:00:00 2001
		2	From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
		3	Date: Wed, 30 Apr 2025 10:34:27 -0400
		4	Subject: [PATCH] Fixed CVE-2024-41991 -- Prevented potential ReDoS in
		5	django.utils.html.urlize() and AdminURLFieldWidget.
		6
		7	Thanks Seokchan Yoon for the report.
		8
		9	Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
		10
		11	CVE: CVE-2024-41991
		12
		13	Upstream-Status: Backport
		14	https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/
		15
		16	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
		17	---
		18	django/contrib/admin/widgets.py \| 2 +-
		19	django/utils/html.py \| 10 ++++++++--
		20	docs/releases/3.2.25.txt \| 7 +++++++
		21	tests/admin_widgets/tests.py \| 7 ++++++-
		22	tests/utils_tests/test_html.py \| 13 +++++++++++++
		23	5 files changed, 35 insertions(+), 4 deletions(-)
		24
		25	diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py
		26	index aeb7477..b7dd0d8 100644
		27	--- a/django/contrib/admin/widgets.py
		28	+++ b/django/contrib/admin/widgets.py
		29	@@ -339,7 +339,7 @@ class AdminURLFieldWidget(forms.URLInput):
		30	context = super().get_context(name, value, attrs)
		31	context['current_label'] = _('Currently:')
		32	context['change_label'] = _('Change:')
		33	- context['widget']['href'] = smart_urlquote(context['widget']['value']) if value else ''
		34	+ context['widget']['href'] = smart_urlquote(context['widget']['value']) if url_valid else ''
		35	context['url_valid'] = url_valid
		36	return context
		37
		38	diff --git a/django/utils/html.py b/django/utils/html.py
		39	index 3bc02b8..44c6b7b 100644
		40	--- a/django/utils/html.py
		41	+++ b/django/utils/html.py
		42	@@ -29,6 +29,8 @@ simple_url_2_re = _lazy_re_compile(
		43	re.IGNORECASE
		44	)
		45
		46	+MAX_URL_LENGTH = 2048
		47	+
		48
		49	@keep_lazy(str, SafeString)
		50	def escape(text):
		51	@@ -298,6 +300,10 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
		52	except ValueError:
		53	# value contains more than one @.
		54	return False
		55	+ # Max length for domain name labels is 63 characters per RFC 1034.
		56	+ # Helps to avoid ReDoS vectors in the domain part.
		57	+ if len(p2) > 63:
		58	+ return False
		59	# Dot must be in p2 (e.g. example.com)
		60	if '.' not in p2 or p2.startswith('.'):
		61	return False
		62	@@ -316,9 +322,9 @@ def urlize(text, trim_url_limit=None, nofollow=False, autoescape=False):
		63	# Make URL we want to point to.
		64	url = None
		65	nofollow_attr = ' rel="nofollow"' if nofollow else ''
		66	- if simple_url_re.match(middle):
		67	+ if len(middle) <= MAX_URL_LENGTH and simple_url_re.match(middle):
		68	url = smart_urlquote(html.unescape(middle))
		69	- elif simple_url_2_re.match(middle):
		70	+ elif len(middle) <= MAX_URL_LENGTH and simple_url_2_re.match(middle):
		71	url = smart_urlquote('http://%s' % html.unescape(middle))
		72	elif ':' not in middle and is_email_simple(middle):
		73	local, domain = middle.rsplit('@', 1)
		74	diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
		75	index 60236d5..67dc8a2 100644
		76	--- a/docs/releases/3.2.25.txt
		77	+++ b/docs/releases/3.2.25.txt
		78	@@ -59,6 +59,13 @@ directory-traversal via certain inputs when calling :meth:`save()
		79
		80	Built-in ``Storage`` sub-classes were not affected by this vulnerability.
		81
		82	+CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html.urlize()`` and ``AdminURLFieldWidget``
		83	+===========================================================================================================
		84	+
		85	+:tfilter:`urlize`, :tfilter:`urlizetrunc`, and ``AdminURLFieldWidget`` were
		86	+subject to a potential denial-of-service attack via certain inputs with a very
		87	+large number of Unicode characters.
		88	+
		89	Bugfixes
		90	========
		91
		92	diff --git a/tests/admin_widgets/tests.py b/tests/admin_widgets/tests.py
		93	index f701f1a..c532199 100644
		94	--- a/tests/admin_widgets/tests.py
		95	+++ b/tests/admin_widgets/tests.py
		96	@@ -353,7 +353,12 @@ class AdminSplitDateTimeWidgetTest(SimpleTestCase):
		97	class AdminURLWidgetTest(SimpleTestCase):
		98	def test_get_context_validates_url(self):
		99	w = widgets.AdminURLFieldWidget()
		100	- for invalid in ['', '/not/a/full/url/', 'javascript:alert("Danger XSS!")']:
		101	+ for invalid in [
		102	+ "",
		103	+ "/not/a/full/url/",
		104	+ 'javascript:alert("Danger XSS!")',
		105	+ "http://" + "한.글." * 1_000_000 + "com",
		106	+ ]:
		107	with self.subTest(url=invalid):
		108	self.assertFalse(w.get_context('name', invalid, {})['url_valid'])
		109	self.assertTrue(w.get_context('name', 'http://example.com', {})['url_valid'])
		110	diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
		111	index 30f5ba6..93458ac 100644
		112	--- a/tests/utils_tests/test_html.py
		113	+++ b/tests/utils_tests/test_html.py
		114	@@ -255,6 +255,15 @@ class TestUtilsHtml(SimpleTestCase):
		115	'Search for <a href="http://google.com/?q=">google.com/?q=</a>!'
		116	),
		117	('foo@example.com', '<a href="mailto:foo@example.com">foo@example.com</a>'),
		118	+ (
		119	+ "test@" + "한.글." * 15 + "aaa",
		120	+ '<a href="mailto:test@'
		121	+ + "xn--6q8b.xn--bj0b." * 15
		122	+ + 'aaa">'
		123	+ + "test@"
		124	+ + "한.글." * 15
		125	+ + "aaa</a>",
		126	+ ),
		127	)
		128	for value, output in tests:
		129	with self.subTest(value=value):
		130	@@ -263,6 +272,10 @@ class TestUtilsHtml(SimpleTestCase):
		131	def test_urlize_unchanged_inputs(self):
		132	tests = (
		133	('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test
		134	+ # Unicode domain catastrophic tests.
		135	+ "a@" + "한.글." * 1_000_000 + "a",
		136	+ "http://" + "한.글." * 1_000_000 + "com",
		137	+ "www." + "한.글." * 1_000_000 + "com",
		138	('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test
		139	'foo@',
		140	'@foo.com',
		141	--
		142	2.40.0
		143


diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb index 2d94b2109c..c5d97ae482 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -12,6 +12,7 @@ SRC_URI += "\
12	file://CVE-2025-57833.patch \	12	file://CVE-2025-57833.patch \
13	file://CVE-2024-39329.patch \	13	file://CVE-2024-39329.patch \
14	file://CVE-2024-39330.patch \	14	file://CVE-2024-39330.patch \
		15	file://CVE-2024-41991.patch \
15	"	16	"
16		17
17	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by	18	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by