python3-django: Fix CVE-2024-53907

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-53907 Upstream-patch: https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2025-01-10 13:18:02 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-01-22 19:23:09 -0500
commit: 954acdcf1b7306654dc4aba36a2c423d64ee5a80 (patch)
tree: b578ac15e489dd609e31592f15ce5359503c0037 /meta-python
parent: be168328f84eef8007cc8e3f9c2e08c59b036b9d (diff)
download: meta-openembedded-954acdcf1b7306654dc4aba36a2c423d64ee5a80.tar.gz
2 files changed, 93 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-53907.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-53907.patch
new file mode 100644
index 0000000000..5a6af70611
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-53907.patch
@@ -0,0 +1,92 @@
+From 790eb058b0716c536a2f2e8d1c6d5079d776c22b Mon Sep 17 00:00:00 2001
+From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
+Date: Wed, 13 Nov 2024 15:06:23 +0100
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in
+ strip_tags().
+Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
+for the reviews.
+CVE: CVE-2024-53907
+Upstream-Status: Backport [https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/utils/html.py           | 10 ++++++++--
+ tests/utils_tests/test_html.py |  7 +++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+diff --git a/django/utils/html.py b/django/utils/html.py
+index 3cf1bfc..0d5ffd2 100644
+--- a/django/utils/html.py
+++ b/django/utils/html.py
+@@ -8,12 +8,14 @@ from urllib.parse import (
+     parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit,
+ )
+ 
+from django.core.exceptions import SuspiciousOperation
+ from django.utils.functional import Promise, keep_lazy, keep_lazy_text
+ from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
+ from django.utils.safestring import SafeData, SafeText, mark_safe
+ from django.utils.text import normalize_newlines
+ 
+ MAX_URL_LENGTH = 2048
+MAX_STRIP_TAGS_DEPTH = 50
+ 
+ # Configuration for urlize() function.
+ TRAILING_PUNCTUATION_CHARS = '.,:;!'
+@@ -185,15 +187,19 @@ def _strip_once(value):
+ @keep_lazy_text
+ def strip_tags(value):
+     """Return the given HTML with all tags stripped."""
+-    # Note: in typical case this loop executes _strip_once once. Loop condition
+-    # is redundant, but helps to reduce number of executions of _strip_once.
+     value = str(value)
+    # Note: in typical case this loop executes _strip_once twice (the second
+    # execution does not remove any more tags).
+    strip_tags_depth = 0
+     while '<' in value and '>' in value:
+        if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
+         new_value = _strip_once(value)
+         if value.count('<') == new_value.count('<'):
+             # _strip_once wasn't able to detect more tags.
+             break
+         value = new_value
+        strip_tags_depth += 1
+     return value
+ 
+ 
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 8fe2f24..2f412e1 100644
+--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
+@@ -1,6 +1,7 @@
+ import os
+ from datetime import datetime
+ 
+from django.core.exceptions import SuspiciousOperation
+ from django.test import SimpleTestCase
+ from django.utils.functional import lazystr
+ from django.utils.html import (
+@@ -90,12 +91,18 @@ class TestUtilsHtml(SimpleTestCase):
+             ('<script>alert()</script>&h', 'alert()h'),
+             ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
+             ('X<<<<br>br>br>br>X', 'XX'),
+            ("<" * 50 + "a>" * 50, ""),
+         )
+         for value, output in items:
+             with self.subTest(value=value, output=output):
+                 self.check_output(strip_tags, value, output)
+                 self.check_output(strip_tags, lazystr(value), output)
+ 
+    def test_strip_tags_suspicious_operation(self):
+        value = "<" * 51 + "a>" * 51, "<a>"
+        with self.assertRaises(SuspiciousOperation):
+            strip_tags(value)
+
+     def test_strip_tags_files(self):
+         # Test with more lengthy content (also catching performance regressions)
+         for filename in ('strip_tags1.html', 'strip_tags2.txt'):
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index 4444d943cf..0478fd3883 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2024-41991.patch \
            file://CVE-2024-45230.patch \
            file://CVE-2024-45231.patch \
+            file://CVE-2024-53907.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
author	Soumya Sambu <soumya.sambu@windriver.com>	2025-01-10 13:18:02 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-01-22 19:23:09 -0500
commit	954acdcf1b7306654dc4aba36a2c423d64ee5a80 (patch)
tree	b578ac15e489dd609e31592f15ce5359503c0037 /meta-python
parent	be168328f84eef8007cc8e3f9c2e08c59b036b9d (diff)
download	meta-openembedded-954acdcf1b7306654dc4aba36a2c423d64ee5a80.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-53907.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-53907.patch new file mode 100644 index 0000000000..5a6af70611 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-53907.patch
@@ -0,0 +1,92 @@
		1	From 790eb058b0716c536a2f2e8d1c6d5079d776c22b Mon Sep 17 00:00:00 2001
		2	From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
		3	Date: Wed, 13 Nov 2024 15:06:23 +0100
		4	Subject: [PATCH] [4.2.x] Fixed CVE-2024-53907 -- Mitigated potential DoS in
		5	strip_tags().
		6
		7	Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
		8	for the reviews.
		9
		10	CVE: CVE-2024-53907
		11
		12	Upstream-Status: Backport [https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b]
		13
		14	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		15
		16	---
		17	django/utils/html.py \| 10 ++++++++--
		18	tests/utils_tests/test_html.py \| 7 +++++++
		19	2 files changed, 15 insertions(+), 2 deletions(-)
		20
		21	diff --git a/django/utils/html.py b/django/utils/html.py
		22	index 3cf1bfc..0d5ffd2 100644
		23	--- a/django/utils/html.py
		24	+++ b/django/utils/html.py
		25	@@ -8,12 +8,14 @@ from urllib.parse import (
		26	parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit,
		27	)
		28
		29	+from django.core.exceptions import SuspiciousOperation
		30	from django.utils.functional import Promise, keep_lazy, keep_lazy_text
		31	from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
		32	from django.utils.safestring import SafeData, SafeText, mark_safe
		33	from django.utils.text import normalize_newlines
		34
		35	MAX_URL_LENGTH = 2048
		36	+MAX_STRIP_TAGS_DEPTH = 50
		37
		38	# Configuration for urlize() function.
		39	TRAILING_PUNCTUATION_CHARS = '.,:;!'
		40	@@ -185,15 +187,19 @@ def _strip_once(value):
		41	@keep_lazy_text
		42	def strip_tags(value):
		43	"""Return the given HTML with all tags stripped."""
		44	- # Note: in typical case this loop executes _strip_once once. Loop condition
		45	- # is redundant, but helps to reduce number of executions of _strip_once.
		46	value = str(value)
		47	+ # Note: in typical case this loop executes _strip_once twice (the second
		48	+ # execution does not remove any more tags).
		49	+ strip_tags_depth = 0
		50	while '<' in value and '>' in value:
		51	+ if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
		52	+ raise SuspiciousOperation
		53	new_value = _strip_once(value)
		54	if value.count('<') == new_value.count('<'):
		55	# _strip_once wasn't able to detect more tags.
		56	break
		57	value = new_value
		58	+ strip_tags_depth += 1
		59	return value
		60
		61
		62	diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
		63	index 8fe2f24..2f412e1 100644
		64	--- a/tests/utils_tests/test_html.py
		65	+++ b/tests/utils_tests/test_html.py
		66	@@ -1,6 +1,7 @@
		67	import os
		68	from datetime import datetime
		69
		70	+from django.core.exceptions import SuspiciousOperation
		71	from django.test import SimpleTestCase
		72	from django.utils.functional import lazystr
		73	from django.utils.html import (
		74	@@ -90,12 +91,18 @@ class TestUtilsHtml(SimpleTestCase):
		75	('<script>alert()</script>&h', 'alert()h'),
		76	('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
		77	('X<<<<br>br>br>br>X', 'XX'),
		78	+ ("<" * 50 + "a>" * 50, ""),
		79	)
		80	for value, output in items:
		81	with self.subTest(value=value, output=output):
		82	self.check_output(strip_tags, value, output)
		83	self.check_output(strip_tags, lazystr(value), output)
		84
		85	+ def test_strip_tags_suspicious_operation(self):
		86	+ value = "<" * 51 + "a>" * 51, "<a>"
		87	+ with self.assertRaises(SuspiciousOperation):
		88	+ strip_tags(value)
		89	+
		90	def test_strip_tags_files(self):
		91	# Test with more lengthy content (also catching performance regressions)
		92	for filename in ('strip_tags1.html', 'strip_tags2.txt'):


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index 4444d943cf..0478fd3883 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -23,6 +23,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
23	file://CVE-2024-41991.patch \	23	file://CVE-2024-41991.patch \
24	file://CVE-2024-45230.patch \	24	file://CVE-2024-45230.patch \
25	file://CVE-2024-45231.patch \	25	file://CVE-2024-45231.patch \
		26	file://CVE-2024-53907.patch \
26	"	27	"
27		28
28	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	29	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"