python3-django: fix CVE-2023-36053

In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs. Since, there is no ptest available for python3-django so have not tested the patch changes at runtime. References: https://github.com/advisories/GHSA-jh3w-4vvf-mjgr https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Narpat Mali <narpat.mali@windriver.com> 2023-07-28 08:13:18 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-08-25 10:45:34 -0400
commit: ac60beb44f62181ce48134bac61d89b7c0f4476f (patch)
tree: 061a6b35081803e3fef0139bd63cbe575b8a2636 /meta-python/recipes-devtools
parent: 99a5eb7a173377c20fc5822896272b0f21edffe0 (diff)
download: meta-openembedded-ac60beb44f62181ce48134bac61d89b7c0f4476f.tar.gz
2 files changed, 266 insertions, 1 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch
new file mode 100644
index 0000000000..2ad38d8e95
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch
@@ -0,0 +1,263 @@
+From a0b2eeeb7350d0c3a9b9be191783ff15daeffec5 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Thu, 27 Jul 2023 14:51:48 +0000
+Subject: [PATCH] Fixed CVE-2023-36053
+-- Prevented potential ReDoS in EmailValidator and URLValidator.
+Thanks Seokchan Yoon for reports.
+CVE: CVE-2023-36053
+Upstream-Status: Backport [https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ django/core/validators.py                     |  9 +++++++--
+ django/forms/fields.py                        |  3 +++
+ docs/ref/forms/fields.txt                     |  4 ++++
+ docs/ref/validators.txt                       | 19 ++++++++++++++++++-
+ docs/releases/2.2.28.txt                      |  9 +++++++++
+ .../field_tests/test_emailfield.py            |  5 ++++-
+ tests/forms_tests/tests/test_forms.py         | 19 +++++++++++++------
+ tests/validators/tests.py                     | 11 +++++++++++
+ 8 files changed, 69 insertions(+), 10 deletions(-)
+diff --git a/django/core/validators.py b/django/core/validators.py
+index 2da0688..2dbd3bf 100644
+--- a/django/core/validators.py
+++ b/django/core/validators.py
+@@ -102,6 +102,7 @@ class URLValidator(RegexValidator):
+     message = _('Enter a valid URL.')
+     schemes = ['http', 'https', 'ftp', 'ftps']
+     unsafe_chars = frozenset('\t\r\n')
+    max_length = 2048
+     def __init__(self, schemes=None, **kwargs):
+         super().__init__(**kwargs)
+@@ -109,7 +110,9 @@ class URLValidator(RegexValidator):
+             self.schemes = schemes
+     def __call__(self, value):
+-        if isinstance(value, str) and self.unsafe_chars.intersection(value):
+        if not isinstance(value, str) or len(value) > self.max_length:
+            raise ValidationError(self.message, code=self.code)
+        if self.unsafe_chars.intersection(value):
+             raise ValidationError(self.message, code=self.code)
+         # Check if the scheme is valid.
+         scheme = value.split('://')[0].lower()
+@@ -190,7 +193,9 @@ class EmailValidator:
+             self.domain_whitelist = whitelist
+     def __call__(self, value):
+-        if not value or '@' not in value:
+        # The maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        if not value or '@' not in value or len(value) > 320:
+             raise ValidationError(self.message, code=self.code)
+         user_part, domain_part = value.rsplit('@', 1)
+diff --git a/django/forms/fields.py b/django/forms/fields.py
+index a977256..f939338 100644
+--- a/django/forms/fields.py
+++ b/django/forms/fields.py
+@@ -542,6 +542,9 @@ class FileField(Field):
+     def __init__(self, *, max_length=None, allow_empty_file=False, **kwargs):
+         self.max_length = max_length
+         self.allow_empty_file = allow_empty_file
+        # The default maximum length of an email is 320 characters per RFC 3696
+        # section 3.
+        kwargs.setdefault("max_length", 320)
+         super().__init__(**kwargs)
+     def to_python(self, data):
+diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
+index 6f76d0d..3a888ef 100644
+--- a/docs/ref/forms/fields.txt
+++ b/docs/ref/forms/fields.txt
+@@ -592,6 +592,10 @@ For each field, we describe the default widget used if you don't specify
+     Has two optional arguments for validation, ``max_length`` and ``min_length``.
+     If provided, these arguments ensure that the string is at most or at least the
+     given length.
+    ``empty_value`` which work just as they do for :class:`CharField`. The
+    ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
+
+    The default value for ``max_length`` was changed to 320 characters.
+ ``FileField``
+ -------------
+diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt
+index 75d1394..4178a1f 100644
+--- a/docs/ref/validators.txt
+++ b/docs/ref/validators.txt
+@@ -125,6 +125,11 @@ to, or in lieu of custom ``field.clean()`` methods.
+     :param code: If not ``None``, overrides :attr:`code`.
+     :param whitelist: If not ``None``, overrides :attr:`whitelist`.
+    An :class:`EmailValidator` ensures that a value looks like an email, and
+    raises a :exc:`~django.core.exceptions.ValidationError` with
+    :attr:`message` and :attr:`code` if it doesn't. Values longer than 320
+    characters are always considered invalid.
+
+     .. attribute:: message
+         The error message used by
+@@ -145,13 +150,17 @@ to, or in lieu of custom ``field.clean()`` methods.
+         ``['localhost']``. Other domains that don't contain a dot won't pass
+         validation, so you'd need to whitelist them as necessary.
+        In older versions, values longer than 320 characters could be
+        considered valid.
+
+ ``URLValidator``
+ ----------------
+ .. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
+     A :class:`RegexValidator` that ensures a value looks like a URL, and raises
+-    an error code of ``'invalid'`` if it doesn't.
+    an error code of ``'invalid'`` if it doesn't. Values longer than
+    :attr:`max_length` characters are always considered invalid.
+     Loopback addresses and reserved IP spaces are considered valid. Literal
+     IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
+@@ -168,6 +177,14 @@ to, or in lieu of custom ``field.clean()`` methods.
+         .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
+     .. attribute:: max_length
+
+        The maximum length of values that could be considered valid. Defaults
+        to 2048 characters.
+
+        In older versions, values longer than 2048 characters could be
+        considered valid.
+
+ ``validate_email``
+ ------------------
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 854c6b0..ab4884b 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -38,3 +38,12 @@ keep the old behavior, set ``allow_multiple_selected`` to ``True``.
+ For more details on using the new attribute and handling of multiple files
+ through a single field, see :ref:`uploading_multiple_files`.
+
+Backporting the CVE-2023-36053 fix on Django 2.2.28.
+
+CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
+===================================================================================================================
+
+``EmailValidator`` and ``URLValidator`` were subject to potential regular
+expression denial of service attack via a very large number of domain name
+labels of emails and URLs.
+diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py
+index 826524a..fe5b644 100644
+--- a/tests/forms_tests/field_tests/test_emailfield.py
+++ b/tests/forms_tests/field_tests/test_emailfield.py
+@@ -8,7 +8,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
+     def test_emailfield_1(self):
+         f = EmailField()
+-        self.assertWidgetRendersTo(f, '<input type="email" name="f" id="id_f" required>')
+        self.assertEqual(f.max_length, 320)
+        self.assertWidgetRendersTo(
+            f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
+        )
+         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
+             f.clean('')
+         with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
+diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py
+index d4e421d..8893f89 100644
+--- a/tests/forms_tests/tests/test_forms.py
+++ b/tests/forms_tests/tests/test_forms.py
+@@ -422,11 +422,18 @@ class FormsTestCase(SimpleTestCase):
+             get_spam = BooleanField()
+         f = SignupForm(auto_id=False)
+-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" required>')
+        self.assertHTMLEqual(
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" required>',
+        )
+         self.assertHTMLEqual(str(f['get_spam']), '<input type="checkbox" name="get_spam" required>')
+         f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False)
+-        self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" value="test@example.com" required>')
+        self.assertHTMLEqual(
+            str(f["email"]),
+            '<input type="email" name="email" maxlength="320" value="test@example.com" '
+            "required>",
+        )
+         self.assertHTMLEqual(
+             str(f['get_spam']),
+             '<input checked type="checkbox" name="get_spam" required>',
+@@ -2780,7 +2787,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+ <option value="true">Yes</option>
+ <option value="false">No</option>
+ </select></li>
+-<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></li>
+<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></li>
+ <li class="required error"><ul class="errorlist"><li>This field is required.</li></ul>
+ <label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required></li>"""
+         )
+@@ -2796,7 +2803,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+ <option value="true">Yes</option>
+ <option value="false">No</option>
+ </select></p>
+-<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></p>
+<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></p>
+ <ul class="errorlist"><li>This field is required.</li></ul>
+ <p class="required error"><label class="required" for="id_age">Age:</label>
+ <input type="number" name="age" id="id_age" required></p>"""
+@@ -2815,7 +2822,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+ <option value="false">No</option>
+ </select></td></tr>
+ <tr><th><label for="id_email">Email:</label></th><td>
+-<input type="email" name="email" id="id_email"></td></tr>
+<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
+ <tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
+ <td><ul class="errorlist"><li>This field is required.</li></ul>
+ <input type="number" name="age" id="id_age" required></td></tr>"""
+@@ -3428,7 +3435,7 @@ Good luck picking a username that doesn&#39;t already exist.</p>
+         f = CommentForm(data, auto_id=False, error_class=DivErrorList)
+         self.assertHTMLEqual(f.as_p(), """<p>Name: <input type="text" name="name" maxlength="50"></p>
+ <div class="errorlist"><div class="error">Enter a valid email address.</div></div>
+-<p>Email: <input type="email" name="email" value="invalid" required></p>
+<p>Email: <input type="email" name="email" value="invalid" maxlength="320" required></p>
+ <div class="errorlist"><div class="error">This field is required.</div></div>
+ <p>Comment: <input type="text" name="comment" required></p>""")
+diff --git a/tests/validators/tests.py b/tests/validators/tests.py
+index 1f09fb5..8204f00 100644
+--- a/tests/validators/tests.py
+++ b/tests/validators/tests.py
+@@ -58,6 +58,7 @@ TEST_DATA = [
+     (validate_email, 'example@atm.%s' % ('a' * 64), ValidationError),
+     (validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError),
+    (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
+     (validate_email, None, ValidationError),
+     (validate_email, '', ValidationError),
+     (validate_email, 'abc', ValidationError),
+@@ -242,6 +243,16 @@ TEST_DATA = [
+     (URLValidator(EXTENDED_SCHEMES), 'git+ssh://git@github.com/example/hg-git.git', None),
+     (URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError),
+    (
+        URLValidator(),
+        "http://example." + ("a" * 63 + ".") * 1000 + "com",
+        ValidationError,
+    ),
+    (
+        URLValidator(),
+        "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com",
+        None,
+    ),
+     # Newlines and tabs are not accepted.
+     (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
+     (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index 77a1a2a740..ec65a985da 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -5,7 +5,9 @@ UPSTREAM_CHECK_REGEX = "/${PYPI_PACKAGE}/(?P<pver>(2\.2\.\d*)+)/"
 inherit setuptools3
-SRC_URI += "file://CVE-2023-31047.patch"
+SRC_URI += "file://CVE-2023-31047.patch \
+            file://CVE-2023-36053.patch \
+           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
author	Narpat Mali <narpat.mali@windriver.com>	2023-07-28 08:13:18 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-08-25 10:45:34 -0400
commit	ac60beb44f62181ce48134bac61d89b7c0f4476f (patch)
tree	061a6b35081803e3fef0139bd63cbe575b8a2636 /meta-python/recipes-devtools
parent	99a5eb7a173377c20fc5822896272b0f21edffe0 (diff)
download	meta-openembedded-ac60beb44f62181ce48134bac61d89b7c0f4476f.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch new file mode 100644 index 0000000000..2ad38d8e95 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch
@@ -0,0 +1,263 @@
		1	From a0b2eeeb7350d0c3a9b9be191783ff15daeffec5 Mon Sep 17 00:00:00 2001
		2	From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
		3	Date: Thu, 27 Jul 2023 14:51:48 +0000
		4	Subject: [PATCH] Fixed CVE-2023-36053
		5
		6	-- Prevented potential ReDoS in EmailValidator and URLValidator.
		7
		8	Thanks Seokchan Yoon for reports.
		9
		10	CVE: CVE-2023-36053
		11
		12	Upstream-Status: Backport [https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582]
		13
		14	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		15	---
		16	django/core/validators.py \| 9 +++++++--
		17	django/forms/fields.py \| 3 +++
		18	docs/ref/forms/fields.txt \| 4 ++++
		19	docs/ref/validators.txt \| 19 ++++++++++++++++++-
		20	docs/releases/2.2.28.txt \| 9 +++++++++
		21	.../field_tests/test_emailfield.py \| 5 ++++-
		22	tests/forms_tests/tests/test_forms.py \| 19 +++++++++++++------
		23	tests/validators/tests.py \| 11 +++++++++++
		24	8 files changed, 69 insertions(+), 10 deletions(-)
		25
		26	diff --git a/django/core/validators.py b/django/core/validators.py
		27	index 2da0688..2dbd3bf 100644
		28	--- a/django/core/validators.py
		29	+++ b/django/core/validators.py
		30	@@ -102,6 +102,7 @@ class URLValidator(RegexValidator):
		31	message = _('Enter a valid URL.')
		32	schemes = ['http', 'https', 'ftp', 'ftps']
		33	unsafe_chars = frozenset('\t\r\n')
		34	+ max_length = 2048
		35
		36	def __init__(self, schemes=None, **kwargs):
		37	super().__init__(**kwargs)
		38	@@ -109,7 +110,9 @@ class URLValidator(RegexValidator):
		39	self.schemes = schemes
		40
		41	def __call__(self, value):
		42	- if isinstance(value, str) and self.unsafe_chars.intersection(value):
		43	+ if not isinstance(value, str) or len(value) > self.max_length:
		44	+ raise ValidationError(self.message, code=self.code)
		45	+ if self.unsafe_chars.intersection(value):
		46	raise ValidationError(self.message, code=self.code)
		47	# Check if the scheme is valid.
		48	scheme = value.split('://')[0].lower()
		49	@@ -190,7 +193,9 @@ class EmailValidator:
		50	self.domain_whitelist = whitelist
		51
		52	def __call__(self, value):
		53	- if not value or '@' not in value:
		54	+ # The maximum length of an email is 320 characters per RFC 3696
		55	+ # section 3.
		56	+ if not value or '@' not in value or len(value) > 320:
		57	raise ValidationError(self.message, code=self.code)
		58
		59	user_part, domain_part = value.rsplit('@', 1)
		60	diff --git a/django/forms/fields.py b/django/forms/fields.py
		61	index a977256..f939338 100644
		62	--- a/django/forms/fields.py
		63	+++ b/django/forms/fields.py
		64	@@ -542,6 +542,9 @@ class FileField(Field):
		65	def __init__(self, , max_length=None, allow_empty_file=False, *kwargs):
		66	self.max_length = max_length
		67	self.allow_empty_file = allow_empty_file
		68	+ # The default maximum length of an email is 320 characters per RFC 3696
		69	+ # section 3.
		70	+ kwargs.setdefault("max_length", 320)
		71	super().__init__(**kwargs)
		72
		73	def to_python(self, data):
		74	diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt
		75	index 6f76d0d..3a888ef 100644
		76	--- a/docs/ref/forms/fields.txt
		77	+++ b/docs/ref/forms/fields.txt
		78	@@ -592,6 +592,10 @@ For each field, we describe the default widget used if you don't specify
		79	Has two optional arguments for validation, ``max_length`` and ``min_length``.
		80	If provided, these arguments ensure that the string is at most or at least the
		81	given length.
		82	+ ``empty_value`` which work just as they do for :class:`CharField`. The
		83	+ ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`).
		84	+
		85	+ The default value for ``max_length`` was changed to 320 characters.
		86
		87	``FileField``
		88	-------------
		89	diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt
		90	index 75d1394..4178a1f 100644
		91	--- a/docs/ref/validators.txt
		92	+++ b/docs/ref/validators.txt
		93	@@ -125,6 +125,11 @@ to, or in lieu of custom ``field.clean()`` methods.
		94	:param code: If not ``None``, overrides :attr:`code`.
		95	:param whitelist: If not ``None``, overrides :attr:`whitelist`.
		96
		97	+ An :class:`EmailValidator` ensures that a value looks like an email, and
		98	+ raises a :exc:`~django.core.exceptions.ValidationError` with
		99	+ :attr:`message` and :attr:`code` if it doesn't. Values longer than 320
		100	+ characters are always considered invalid.
		101	+
		102	.. attribute:: message
		103
		104	The error message used by
		105	@@ -145,13 +150,17 @@ to, or in lieu of custom ``field.clean()`` methods.
		106	``['localhost']``. Other domains that don't contain a dot won't pass
		107	validation, so you'd need to whitelist them as necessary.
		108
		109	+ In older versions, values longer than 320 characters could be
		110	+ considered valid.
		111	+
		112	``URLValidator``
		113	----------------
		114
		115	.. class:: URLValidator(schemes=None, regex=None, message=None, code=None)
		116
		117	A :class:`RegexValidator` that ensures a value looks like a URL, and raises
		118	- an error code of ``'invalid'`` if it doesn't.
		119	+ an error code of ``'invalid'`` if it doesn't. Values longer than
		120	+ :attr:`max_length` characters are always considered invalid.
		121
		122	Loopback addresses and reserved IP spaces are considered valid. Literal
		123	IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both
		124	@@ -168,6 +177,14 @@ to, or in lieu of custom ``field.clean()`` methods.
		125
		126	.. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
		127
		128	+ .. attribute:: max_length
		129	+
		130	+ The maximum length of values that could be considered valid. Defaults
		131	+ to 2048 characters.
		132	+
		133	+ In older versions, values longer than 2048 characters could be
		134	+ considered valid.
		135	+
		136	``validate_email``
		137	------------------
		138
		139	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
		140	index 854c6b0..ab4884b 100644
		141	--- a/docs/releases/2.2.28.txt
		142	+++ b/docs/releases/2.2.28.txt
		143	@@ -38,3 +38,12 @@ keep the old behavior, set ``allow_multiple_selected`` to ``True``.
		144
		145	For more details on using the new attribute and handling of multiple files
		146	through a single field, see :ref:`uploading_multiple_files`.
		147	+
		148	+Backporting the CVE-2023-36053 fix on Django 2.2.28.
		149	+
		150	+CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator``
		151	+===================================================================================================================
		152	+
		153	+``EmailValidator`` and ``URLValidator`` were subject to potential regular
		154	+expression denial of service attack via a very large number of domain name
		155	+labels of emails and URLs.
		156	diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py
		157	index 826524a..fe5b644 100644
		158	--- a/tests/forms_tests/field_tests/test_emailfield.py
		159	+++ b/tests/forms_tests/field_tests/test_emailfield.py
		160	@@ -8,7 +8,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase):
		161
		162	def test_emailfield_1(self):
		163	f = EmailField()
		164	- self.assertWidgetRendersTo(f, '<input type="email" name="f" id="id_f" required>')
		165	+ self.assertEqual(f.max_length, 320)
		166	+ self.assertWidgetRendersTo(
		167	+ f, '<input type="email" name="f" id="id_f" maxlength="320" required>'
		168	+ )
		169	with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
		170	f.clean('')
		171	with self.assertRaisesMessage(ValidationError, "'This field is required.'"):
		172	diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py
		173	index d4e421d..8893f89 100644
		174	--- a/tests/forms_tests/tests/test_forms.py
		175	+++ b/tests/forms_tests/tests/test_forms.py
		176	@@ -422,11 +422,18 @@ class FormsTestCase(SimpleTestCase):
		177	get_spam = BooleanField()
		178
		179	f = SignupForm(auto_id=False)
		180	- self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" required>')
		181	+ self.assertHTMLEqual(
		182	+ str(f["email"]),
		183	+ '<input type="email" name="email" maxlength="320" required>',
		184	+ )
		185	self.assertHTMLEqual(str(f['get_spam']), '<input type="checkbox" name="get_spam" required>')
		186
		187	f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False)
		188	- self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" value="test@example.com" required>')
		189	+ self.assertHTMLEqual(
		190	+ str(f["email"]),
		191	+ '<input type="email" name="email" maxlength="320" value="test@example.com" '
		192	+ "required>",
		193	+ )
		194	self.assertHTMLEqual(
		195	str(f['get_spam']),
		196	'<input checked type="checkbox" name="get_spam" required>',
		197	@@ -2780,7 +2787,7 @@ Good luck picking a username that doesn't already exist.</p>
		198	<option value="true">Yes</option>
		199	<option value="false">No</option>
		200	</select></li>
		201	-<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></li>
		202	+<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></li>
		203	<li class="required error"><ul class="errorlist"><li>This field is required.</li></ul>
		204	<label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required></li>"""
		205	)
		206	@@ -2796,7 +2803,7 @@ Good luck picking a username that doesn't already exist.</p>
		207	<option value="true">Yes</option>
		208	<option value="false">No</option>
		209	</select></p>
		210	-<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></p>
		211	+<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></p>
		212	<ul class="errorlist"><li>This field is required.</li></ul>
		213	<p class="required error"><label class="required" for="id_age">Age:</label>
		214	<input type="number" name="age" id="id_age" required></p>"""
		215	@@ -2815,7 +2822,7 @@ Good luck picking a username that doesn't already exist.</p>
		216	<option value="false">No</option>
		217	</select></td></tr>
		218	<tr><th><label for="id_email">Email:</label></th><td>
		219	-<input type="email" name="email" id="id_email"></td></tr>
		220	+<input type="email" name="email" id="id_email" maxlength="320"></td></tr>
		221	<tr class="required error"><th><label class="required" for="id_age">Age:</label></th>
		222	<td><ul class="errorlist"><li>This field is required.</li></ul>
		223	<input type="number" name="age" id="id_age" required></td></tr>"""
		224	@@ -3428,7 +3435,7 @@ Good luck picking a username that doesn't already exist.</p>
		225	f = CommentForm(data, auto_id=False, error_class=DivErrorList)
		226	self.assertHTMLEqual(f.as_p(), """<p>Name: <input type="text" name="name" maxlength="50"></p>
		227	<div class="errorlist"><div class="error">Enter a valid email address.</div></div>
		228	-<p>Email: <input type="email" name="email" value="invalid" required></p>
		229	+<p>Email: <input type="email" name="email" value="invalid" maxlength="320" required></p>
		230	<div class="errorlist"><div class="error">This field is required.</div></div>
		231	<p>Comment: <input type="text" name="comment" required></p>""")
		232
		233	diff --git a/tests/validators/tests.py b/tests/validators/tests.py
		234	index 1f09fb5..8204f00 100644
		235	--- a/tests/validators/tests.py
		236	+++ b/tests/validators/tests.py
		237	@@ -58,6 +58,7 @@ TEST_DATA = [
		238
		239	(validate_email, 'example@atm.%s' % ('a' * 64), ValidationError),
		240	(validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError),
		241	+ (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError),
		242	(validate_email, None, ValidationError),
		243	(validate_email, '', ValidationError),
		244	(validate_email, 'abc', ValidationError),
		245	@@ -242,6 +243,16 @@ TEST_DATA = [
		246	(URLValidator(EXTENDED_SCHEMES), 'git+ssh://git@github.com/example/hg-git.git', None),
		247
		248	(URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError),
		249	+ (
		250	+ URLValidator(),
		251	+ "http://example." + ("a" * 63 + ".") * 1000 + "com",
		252	+ ValidationError,
		253	+ ),
		254	+ (
		255	+ URLValidator(),
		256	+ "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com",
		257	+ None,
		258	+ ),
		259	# Newlines and tabs are not accepted.
		260	(URLValidator(), 'http://www.djangoproject.com/\n', ValidationError),
		261	(URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError),
		262	--
		263	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 77a1a2a740..ec65a985da 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -5,7 +5,9 @@ UPSTREAM_CHECK_REGEX = "/${PYPI_PACKAGE}/(?P<pver>(2\.2\.\d*)+)/"
5		5
6	inherit setuptools3	6	inherit setuptools3
7		7
8	SRC_URI += "file://CVE-2023-31047.patch"	8	SRC_URI += "file://CVE-2023-31047.patch \
		9	file://CVE-2023-36053.patch \
		10	"
9		11
10	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	12	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
11		13