python3-django: (v3.2.25) fix ipv6 validation

This patch is only for python3-django_3.2.25. The URL validator didn't detect invalid IPv6 addresses, treating them as correct ones, making a testcase fail. (Also, according to the comment, it could also crash in some cases, though I haven't encountered that) This backported patch mitigates this behavior. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-15 13:24:34 +0100
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2026-01-17 13:45:38 +0100
commit: 08466c714f4419eba5247a2215a9ae0c7ebb3d99 (patch)
tree: aa1568e7cf1d351d5d2736627acb01ad36b90fca /meta-python
parent: 62927185fe7591c9a2596647f36f19cc6a4607ef (diff)
download: meta-openembedded-08466c714f4419eba5247a2215a9ae0c7ebb3d99.tar.gz
2 files changed, 57 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch
new file mode 100644
index 0000000000..24ed73e9b5
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch
@@ -0,0 +1,56 @@
+From 065b10e2757af671f3e64f0c8714e6f2e4eca727 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 15 Dec 2021 11:55:19 -0300
+Subject: [PATCH] Fixed #33367 -- Fixed URLValidator crash in some edge cases.
+From: mendespedro <windowsxpedro@gmail.com>
+Upstream-Status: Backport [https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ django/core/validators.py | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+diff --git a/django/core/validators.py b/django/core/validators.py
+index 94cc3bf..03cd9b8 100644
+--- a/django/core/validators.py
+++ b/django/core/validators.py
+@@ -111,15 +111,16 @@ class URLValidator(RegexValidator):
+             raise ValidationError(self.message, code=self.code, params={'value': value})
+ 
+         # Then check full URL
+        try:
+            splitted_url = urlsplit(value)
+        except ValueError:
+            raise ValidationError(self.message, code=self.code, params={'value': value})
+         try:
+             super().__call__(value)
+         except ValidationError as e:
+             # Trivial case failed. Try for possible IDN domain
+             if value:
+-                try:
+-                    scheme, netloc, path, query, fragment = urlsplit(value)
+-                except ValueError:  # for example, "Invalid IPv6 URL"
+-                    raise ValidationError(self.message, code=self.code, params={'value': value})
+                scheme, netloc, path, query, fragment = splitted_url
+                 try:
+                     netloc = punycode(netloc)  # IDN -> ACE
+                 except UnicodeError:  # invalid domain part
+@@ -130,7 +131,7 @@ class URLValidator(RegexValidator):
+                 raise
+         else:
+             # Now verify IPv6 in the netloc part
+-            host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc)
+            host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc)
+             if host_match:
+                 potential_ip = host_match[1]
+                 try:
+@@ -142,7 +143,7 @@ class URLValidator(RegexValidator):
+         # section 3.1. It's defined to be 255 bytes or less, but this includes
+         # one byte for the length of the name and one byte for the trailing dot
+         # that's used to indicate absolute names in DNS.
+-        if len(urlsplit(value).hostname) > 253:
+        if splitted_url.hostname is None or len(splitted_url.hostname) > 253:
+             raise ValidationError(self.message, code=self.code, params={'value': value})
+ 
+ 
diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
index 68b60a784e..15ee178115 100644
--- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
+++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -15,6 +15,7 @@ SRC_URI += "\
       file://CVE-2024-41991.patch \
       file://CVE-2024-53907.patch \
       file://CVE-2025-32873.patch \
+       file://0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch \
 "
 # Set DEFAULT_PREFERENCE so that the LTS version of django is built by
author	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-15 13:24:34 +0100
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2026-01-17 13:45:38 +0100
commit	08466c714f4419eba5247a2215a9ae0c7ebb3d99 (patch)
tree	aa1568e7cf1d351d5d2736627acb01ad36b90fca /meta-python
parent	62927185fe7591c9a2596647f36f19cc6a4607ef (diff)
download	meta-openembedded-08466c714f4419eba5247a2215a9ae0c7ebb3d99.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch new file mode 100644 index 0000000000..24ed73e9b5 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch
@@ -0,0 +1,56 @@
		1	From 065b10e2757af671f3e64f0c8714e6f2e4eca727 Mon Sep 17 00:00:00 2001
		2	From: Gyorgy Sarvari <skandigraun@gmail.com>
		3	Date: Wed, 15 Dec 2021 11:55:19 -0300
		4	Subject: [PATCH] Fixed #33367 -- Fixed URLValidator crash in some edge cases.
		5
		6	From: mendespedro <windowsxpedro@gmail.com>
		7
		8	Upstream-Status: Backport [https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c]
		9	Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
		10	---
		11	django/core/validators.py \| 14 ++++++++------
		12	1 file changed, 8 insertions(+), 6 deletions(-)
		13
		14	diff --git a/django/core/validators.py b/django/core/validators.py
		15	index 94cc3bf..03cd9b8 100644
		16	--- a/django/core/validators.py
		17	+++ b/django/core/validators.py
		18	@@ -111,15 +111,16 @@ class URLValidator(RegexValidator):
		19	raise ValidationError(self.message, code=self.code, params={'value': value})
		20
		21	# Then check full URL
		22	+ try:
		23	+ splitted_url = urlsplit(value)
		24	+ except ValueError:
		25	+ raise ValidationError(self.message, code=self.code, params={'value': value})
		26	try:
		27	super().__call__(value)
		28	except ValidationError as e:
		29	# Trivial case failed. Try for possible IDN domain
		30	if value:
		31	- try:
		32	- scheme, netloc, path, query, fragment = urlsplit(value)
		33	- except ValueError: # for example, "Invalid IPv6 URL"
		34	- raise ValidationError(self.message, code=self.code, params={'value': value})
		35	+ scheme, netloc, path, query, fragment = splitted_url
		36	try:
		37	netloc = punycode(netloc) # IDN -> ACE
		38	except UnicodeError: # invalid domain part
		39	@@ -130,7 +131,7 @@ class URLValidator(RegexValidator):
		40	raise
		41	else:
		42	# Now verify IPv6 in the netloc part
		43	- host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc)
		44	+ host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc)
		45	if host_match:
		46	potential_ip = host_match[1]
		47	try:
		48	@@ -142,7 +143,7 @@ class URLValidator(RegexValidator):
		49	# section 3.1. It's defined to be 255 bytes or less, but this includes
		50	# one byte for the length of the name and one byte for the trailing dot
		51	# that's used to indicate absolute names in DNS.
		52	- if len(urlsplit(value).hostname) > 253:
		53	+ if splitted_url.hostname is None or len(splitted_url.hostname) > 253:
		54	raise ValidationError(self.message, code=self.code, params={'value': value})
		55
		56


diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb index 68b60a784e..15ee178115 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -15,6 +15,7 @@ SRC_URI += "\
15	file://CVE-2024-41991.patch \	15	file://CVE-2024-41991.patch \
16	file://CVE-2024-53907.patch \	16	file://CVE-2024-53907.patch \
17	file://CVE-2025-32873.patch \	17	file://CVE-2025-32873.patch \
		18	file://0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch \
18	"	19	"
19		20
20	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by	21	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by