2 files changed, 125 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-53907.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-53907.patch
new file mode 100644
index 0000000000..577f042b0a
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-53907.patch
@@ -0,0 +1,124 @@
+From 790eb058b0716c536a2f2e8d1c6d5079d776c22b Mon Sep 17 00:00:00 2001
+From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
+Date: Wed, 30 Apr 2025 10:34:27 -0400
+Subject: [PATCH] Fixed CVE-2024-53907 -- Mitigated potential DoS in
+ strip_tags().
+Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
+for the reviews.
+CVE: CVE-2024-53907
+Upstream-Status: Backport
+https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b
+Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
+---
+ django/utils/html.py           | 10 ++++++++--
+ docs/releases/3.2.25.txt       | 16 ++++++++++++++++
+ tests/utils_tests/test_html.py |  7 +++++++
+ 3 files changed, 31 insertions(+), 2 deletions(-)
+diff --git a/django/utils/html.py b/django/utils/html.py
+index 44c6b7b..5887bf1 100644
+--- a/django/utils/html.py
+++ b/django/utils/html.py
+@@ -8,6 +8,7 @@ from urllib.parse import (
+     parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit,
+ )
+ 
+from django.core.exceptions import SuspiciousOperation
+ from django.utils.encoding import punycode
+ from django.utils.functional import Promise, keep_lazy, keep_lazy_text
+ from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
+@@ -30,6 +31,7 @@ simple_url_2_re = _lazy_re_compile(
+ )
+ 
+ MAX_URL_LENGTH = 2048
+MAX_STRIP_TAGS_DEPTH = 50
+ 
+ 
+ @keep_lazy(str, SafeString)
+@@ -181,15 +183,19 @@ def _strip_once(value):
+ @keep_lazy_text
+ def strip_tags(value):
+     """Return the given HTML with all tags stripped."""
+-    # Note: in typical case this loop executes _strip_once once. Loop condition
+-    # is redundant, but helps to reduce number of executions of _strip_once.
+     value = str(value)
+    # Note: in typical case this loop executes _strip_once twice (the second
+    # execution does not remove any more tags).
+    strip_tags_depth = 0
+     while '<' in value and '>' in value:
+        if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
+            raise SuspiciousOperation
+         new_value = _strip_once(value)
+         if value.count('<') == new_value.count('<'):
+             # _strip_once wasn't able to detect more tags.
+             break
+         value = new_value
+        strip_tags_depth += 1
+     return value
+ 
+ 
+diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
+index 67dc8a2..f21bb47 100644
+--- a/docs/releases/3.2.25.txt
+++ b/docs/releases/3.2.25.txt
+@@ -66,6 +66,22 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
+ subject to a potential denial-of-service attack via certain inputs with a very
+ large number of Unicode characters.
+ 
+CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
+=================================================================
+
+:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
+certain inputs containing large sequences of nested incomplete HTML entities.
+The ``strip_tags()`` method is used to implement the corresponding
+:tfilter:`striptags` template filter, which was thus also vulnerable.
+
+``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
+before raising a :exc:`.SuspiciousOperation` exception.
+
+Remember that absolutely NO guarantee is provided about the results of
+``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
+``strip_tags()`` call without escaping it first, for example with
+:func:`django.utils.html.escape`.
+
+ Bugfixes
+ ========
+ 
+diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
+index 93458ac..231f5d8 100644
+--- a/tests/utils_tests/test_html.py
+++ b/tests/utils_tests/test_html.py
+@@ -1,6 +1,7 @@
+ import os
+ from datetime import datetime
+ 
+from django.core.exceptions import SuspiciousOperation
+ from django.test import SimpleTestCase
+ from django.utils.functional import lazystr
+ from django.utils.html import (
+@@ -92,12 +93,18 @@ class TestUtilsHtml(SimpleTestCase):
+             ('<script>alert()</script>&h', 'alert()h'),
+             ('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
+             ('X<<<<br>br>br>br>X', 'XX'),
+            ("<" * 50 + "a>" * 50, ""),
+         )
+         for value, output in items:
+             with self.subTest(value=value, output=output):
+                 self.check_output(strip_tags, value, output)
+                 self.check_output(strip_tags, lazystr(value), output)
+ 
+    def test_strip_tags_suspicious_operation(self):
+        value = "<" * 51 + "a>" * 51, "<a>"
+        with self.assertRaises(SuspiciousOperation):
+            strip_tags(value)
+
+     def test_strip_tags_files(self):
+         # Test with more lengthy content (also catching performance regressions)
+         for filename in ('strip_tags1.html', 'strip_tags2.txt'):
+-- 
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
index c5d97ae482..04dbe1cd19 100644
--- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
+++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -13,6 +13,7 @@ SRC_URI += "\
       file://CVE-2024-39329.patch \
       file://CVE-2024-39330.patch \
       file://CVE-2024-41991.patch \
+       file://CVE-2024-53907.patch \
 "
 # Set DEFAULT_PREFERENCE so that the LTS version of django is built by

diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-53907.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-53907.patch new file mode 100644 index 0000000000..577f042b0a --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/CVE-2024-53907.patch
@@ -0,0 +1,124 @@
		1	From 790eb058b0716c536a2f2e8d1c6d5079d776c22b Mon Sep 17 00:00:00 2001
		2	From: Marc Deslauriers <marc.deslauriers@ubuntu.com>
		3	Date: Wed, 30 Apr 2025 10:34:27 -0400
		4	Subject: [PATCH] Fixed CVE-2024-53907 -- Mitigated potential DoS in
		5	strip_tags().
		6
		7	Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
		8	for the reviews.
		9
		10	CVE: CVE-2024-53907
		11
		12	Upstream-Status: Backport
		13	https://github.com/django/django/commit/790eb058b0716c536a2f2e8d1c6d5079d776c22b
		14
		15	Signed-off-by: Saravanan <saravanan.kadambathursubramaniyam@windriver.com>
		16	---
		17	django/utils/html.py \| 10 ++++++++--
		18	docs/releases/3.2.25.txt \| 16 ++++++++++++++++
		19	tests/utils_tests/test_html.py \| 7 +++++++
		20	3 files changed, 31 insertions(+), 2 deletions(-)
		21
		22	diff --git a/django/utils/html.py b/django/utils/html.py
		23	index 44c6b7b..5887bf1 100644
		24	--- a/django/utils/html.py
		25	+++ b/django/utils/html.py
		26	@@ -8,6 +8,7 @@ from urllib.parse import (
		27	parse_qsl, quote, unquote, urlencode, urlsplit, urlunsplit,
		28	)
		29
		30	+from django.core.exceptions import SuspiciousOperation
		31	from django.utils.encoding import punycode
		32	from django.utils.functional import Promise, keep_lazy, keep_lazy_text
		33	from django.utils.http import RFC3986_GENDELIMS, RFC3986_SUBDELIMS
		34	@@ -30,6 +31,7 @@ simple_url_2_re = _lazy_re_compile(
		35	)
		36
		37	MAX_URL_LENGTH = 2048
		38	+MAX_STRIP_TAGS_DEPTH = 50
		39
		40
		41	@keep_lazy(str, SafeString)
		42	@@ -181,15 +183,19 @@ def _strip_once(value):
		43	@keep_lazy_text
		44	def strip_tags(value):
		45	"""Return the given HTML with all tags stripped."""
		46	- # Note: in typical case this loop executes _strip_once once. Loop condition
		47	- # is redundant, but helps to reduce number of executions of _strip_once.
		48	value = str(value)
		49	+ # Note: in typical case this loop executes _strip_once twice (the second
		50	+ # execution does not remove any more tags).
		51	+ strip_tags_depth = 0
		52	while '<' in value and '>' in value:
		53	+ if strip_tags_depth >= MAX_STRIP_TAGS_DEPTH:
		54	+ raise SuspiciousOperation
		55	new_value = _strip_once(value)
		56	if value.count('<') == new_value.count('<'):
		57	# _strip_once wasn't able to detect more tags.
		58	break
		59	value = new_value
		60	+ strip_tags_depth += 1
		61	return value
		62
		63
		64	diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt
		65	index 67dc8a2..f21bb47 100644
		66	--- a/docs/releases/3.2.25.txt
		67	+++ b/docs/releases/3.2.25.txt
		68	@@ -66,6 +66,22 @@ CVE-2024-41991: Potential denial-of-service vulnerability in ``django.utils.html
		69	subject to a potential denial-of-service attack via certain inputs with a very
		70	large number of Unicode characters.
		71
		72	+CVE-2024-53907: Denial-of-service possibility in ``strip_tags()``
		73	+=================================================================
		74	+
		75	+:func:`~django.utils.html.strip_tags` would be extremely slow to evaluate
		76	+certain inputs containing large sequences of nested incomplete HTML entities.
		77	+The ``strip_tags()`` method is used to implement the corresponding
		78	+:tfilter:`striptags` template filter, which was thus also vulnerable.
		79	+
		80	+``strip_tags()`` now has an upper limit of recursive calls to ``HTMLParser``
		81	+before raising a :exc:`.SuspiciousOperation` exception.
		82	+
		83	+Remember that absolutely NO guarantee is provided about the results of
		84	+``strip_tags()`` being HTML safe. So NEVER mark safe the result of a
		85	+``strip_tags()`` call without escaping it first, for example with
		86	+:func:`django.utils.html.escape`.
		87	+
		88	Bugfixes
		89	========
		90
		91	diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
		92	index 93458ac..231f5d8 100644
		93	--- a/tests/utils_tests/test_html.py
		94	+++ b/tests/utils_tests/test_html.py
		95	@@ -1,6 +1,7 @@
		96	import os
		97	from datetime import datetime
		98
		99	+from django.core.exceptions import SuspiciousOperation
		100	from django.test import SimpleTestCase
		101	from django.utils.functional import lazystr
		102	from django.utils.html import (
		103	@@ -92,12 +93,18 @@ class TestUtilsHtml(SimpleTestCase):
		104	('<script>alert()</script>&h', 'alert()h'),
		105	('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
		106	('X<<<<br>br>br>br>X', 'XX'),
		107	+ ("<" * 50 + "a>" * 50, ""),
		108	)
		109	for value, output in items:
		110	with self.subTest(value=value, output=output):
		111	self.check_output(strip_tags, value, output)
		112	self.check_output(strip_tags, lazystr(value), output)
		113
		114	+ def test_strip_tags_suspicious_operation(self):
		115	+ value = "<" * 51 + "a>" * 51, "<a>"
		116	+ with self.assertRaises(SuspiciousOperation):
		117	+ strip_tags(value)
		118	+
		119	def test_strip_tags_files(self):
		120	# Test with more lengthy content (also catching performance regressions)
		121	for filename in ('strip_tags1.html', 'strip_tags2.txt'):
		122	--
		123	2.40.0
		124


diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb index c5d97ae482..04dbe1cd19 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb
@@ -13,6 +13,7 @@ SRC_URI += "\
13	file://CVE-2024-39329.patch \	13	file://CVE-2024-39329.patch \
14	file://CVE-2024-39330.patch \	14	file://CVE-2024-39330.patch \
15	file://CVE-2024-41991.patch \	15	file://CVE-2024-41991.patch \
		16	file://CVE-2024-53907.patch \
16	"	17	"
17		18
18	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by	19	# Set DEFAULT_PREFERENCE so that the LTS version of django is built by