3 files changed, 291 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch
new file mode 100644
index 0000000000..dbfb9b68a8
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch
@@ -0,0 +1,199 @@
+From b269a0063e9b10a6c88c92b24d1b92c7421950de Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Wed, 29 Nov 2023 12:20:01 +0000
+Subject: [PATCH 1/2] Fixed CVE-2023-43665 -- Mitigated potential DoS in
+ django.utils.text.Truncator when truncating HTML text.
+Thanks Wenchao Li of Alibaba Group for the report.
+CVE: CVE-2023-43665
+Upstream-Status: Backport [https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ django/utils/text.py            | 18 ++++++++++++++++-
+ docs/ref/templates/builtins.txt | 20 +++++++++++++++++++
+ docs/releases/2.2.28.txt        | 20 +++++++++++++++++++
+ tests/utils_tests/test_text.py  | 35 ++++++++++++++++++++++++---------
+ 4 files changed, 83 insertions(+), 10 deletions(-)
+diff --git a/django/utils/text.py b/django/utils/text.py
+index 1fae7b2..06a377b 100644
+--- a/django/utils/text.py
+++ b/django/utils/text.py
+@@ -57,7 +57,14 @@ def wrap(text, width):
+ class Truncator(SimpleLazyObject):
+     """
+     An object used to truncate text, either by characters or words.
+
+    When truncating HTML text (either chars or words), input will be limited to
+    at most `MAX_LENGTH_HTML` characters.
+     """
+
+    # 5 million characters are approximately 4000 text pages or 3 web pages.
+    MAX_LENGTH_HTML = 5_000_000
+
+     def __init__(self, text):
+         super().__init__(lambda: str(text))
+@@ -154,6 +161,11 @@ class Truncator(SimpleLazyObject):
+         if words and length <= 0:
+             return ''
+        size_limited = False
+        if len(text) > self.MAX_LENGTH_HTML:
+            text = text[: self.MAX_LENGTH_HTML]
+            size_limited = True
+
+         html4_singlets = (
+             'br', 'col', 'link', 'base', 'img',
+             'param', 'area', 'hr', 'input'
+@@ -203,10 +215,14 @@ class Truncator(SimpleLazyObject):
+                 # Add it to the start of the open tags list
+                 open_tags.insert(0, tagname)
+        truncate_text = self.add_truncation_text("", truncate)
+
+         if current_len <= length:
+            if size_limited and truncate_text:
+                text += truncate_text
+             return text
+
+         out = text[:end_text_pos]
+-        truncate_text = self.add_truncation_text('', truncate)
+         if truncate_text:
+             out += truncate_text
+         # Close any tags still open
+diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
+index c4b0fa3..4faab38 100644
+--- a/docs/ref/templates/builtins.txt
+++ b/docs/ref/templates/builtins.txt
+@@ -2318,6 +2318,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
+ Newlines in the HTML content will be preserved.
+.. admonition:: Size of input string
+
+    Processing large, potentially malformed HTML strings can be
+    resource-intensive and impact service performance. ``truncatechars_html``
+    limits input to the first five million characters.
+
+.. versionchanged:: 2.2.28
+
+    In older versions, strings over five million characters were processed.
+
+ .. templatefilter:: truncatewords
+ ``truncatewords``
+@@ -2356,6 +2366,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
+ Newlines in the HTML content will be preserved.
+.. admonition:: Size of input string
+
+    Processing large, potentially malformed HTML strings can be
+    resource-intensive and impact service performance. ``truncatewords_html``
+    limits input to the first five million characters.
+
+.. versionchanged:: 2.2.28
+
+    In older versions, strings over five million characters were processed.
+
+ .. templatefilter:: unordered_list
+ ``unordered_list``
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 40eb230..6a38e9c 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -56,3 +56,23 @@ CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.enco
+ ``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
+ service attack via certain inputs with a very large number of Unicode
+ characters.
+
+Backporting the CVE-2023-43665 fix on Django 2.2.28.
+
+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
+================================================================================
+
+Following the fix for :cve:`2019-14232`, the regular expressions used in the
+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
+methods (with ``html=True``) were revised and improved. However, these regular
+expressions still exhibited linear backtracking complexity, so when given a
+very long, potentially malformed HTML input, the evaluation would still be
+slow, leading to a potential denial of service vulnerability.
+
+The ``chars()`` and ``words()`` methods are used to implement the
+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
+filters, which were thus also vulnerable.
+
+The input processed by ``Truncator``, when operating in HTML mode, has been
+limited to the first five million characters in order to avoid potential
+performance and memory issues.
+diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
+index 27e440b..cb3063d 100644
+--- a/tests/utils_tests/test_text.py
+++ b/tests/utils_tests/test_text.py
+@@ -1,5 +1,6 @@
+ import json
+ import sys
+from unittest.mock import patch
+ from django.core.exceptions import SuspiciousFileOperation
+ from django.test import SimpleTestCase
+@@ -87,11 +88,17 @@ class TestUtilsText(SimpleTestCase):
+         # lazy strings are handled correctly
+         self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…')
+-    def test_truncate_chars_html(self):
+    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
+    def test_truncate_chars_html_size_limit(self):
+        max_len = text.Truncator.MAX_LENGTH_HTML
+        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+        valid_html = "<p>Joel is a slug</p>"  # 14 chars
+         perf_test_values = [
+-            (('</a' + '\t' * 50000) + '//>', None),
+-            ('&' * 50000, '&' * 9 + '…'),
+-            ('_X<<<<<<<<<<<>', None),
+            ("</a" + "\t" * (max_len - 6) + "//>", None),
+            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"),
+            ("&" * bigger_len, "&" * 9 + "…"),
+            ("_X<<<<<<<<<<<>", None),
+            (valid_html * bigger_len, "<p>Joel is a…</p>"),  # 10 chars
+         ]
+         for value, expected in perf_test_values:
+             with self.subTest(value=value):
+@@ -149,15 +156,25 @@ class TestUtilsText(SimpleTestCase):
+         truncator = text.Truncator('<p>I &lt;3 python, what about you?</p>')
+         self.assertEqual('<p>I &lt;3 python,…</p>', truncator.words(3, html=True))
+    @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
+    def test_truncate_words_html_size_limit(self):
+        max_len = text.Truncator.MAX_LENGTH_HTML
+        bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
+        valid_html = "<p>Joel is a slug</p>"  # 4 words
+         perf_test_values = [
+-            ('</a' + '\t' * 50000) + '//>',
+-            '&' * 50000,
+-            '_X<<<<<<<<<<<>',
+            ("</a" + "\t" * (max_len - 6) + "//>", None),
+            ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"),
+            ("&" * max_len, None),  # no change
+            ("&" * bigger_len, "&" * max_len + "…"),
+            ("_X<<<<<<<<<<<>", None),
+            (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"),  # 50 words
+         ]
+-        for value in perf_test_values:
+        for value, expected in perf_test_values:
+             with self.subTest(value=value):
+                 truncator = text.Truncator(value)
+-                self.assertEqual(value, truncator.words(50, html=True))
+                self.assertEqual(
+                    expected if expected else value, truncator.words(50, html=True)
+                )
+     def test_wrap(self):
+         digits = '1234 67 9'
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
new file mode 100644
index 0000000000..b7dda41f8f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
@@ -0,0 +1,90 @@
+From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Wed, 29 Nov 2023 12:49:41 +0000
+Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
+ UsernameField on Windows.
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+CVE: CVE-2023-46695
+Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ django/contrib/auth/forms.py   | 10 +++++++++-
+ docs/releases/2.2.28.txt       | 14 ++++++++++++++
+ tests/auth_tests/test_forms.py |  8 +++++++-
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index e6f73fe..26d3ca7 100644
+--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
+@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
+ class UsernameField(forms.CharField):
+     def to_python(self, value):
+-        return unicodedata.normalize('NFKC', super().to_python(value))
+        value = super().to_python(value)
+        if self.max_length is not None and len(value) > self.max_length:
+            # Normalization can increase the string length (e.g.
+            # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+            # point in normalizing invalid data. Moreover, Unicode
+            # normalization is very slow on Windows and can be a DoS attack
+            # vector.
+            return value
+        return unicodedata.normalize("NFKC", value)
+ class UserCreationForm(forms.ModelForm):
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 6a38e9c..c653cb6 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
+ The input processed by ``Truncator``, when operating in HTML mode, has been
+ limited to the first five million characters in order to avoid potential
+ performance and memory issues.
+
+Backporting the CVE-2023-46695 fix on Django 2.2.28.
+
+CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
+=========================================================================================
+
+The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
+subject to a potential denial of service attack via certain inputs with a very
+large number of Unicode characters.
+
+In order to avoid the vulnerability, invalid values longer than
+``UsernameField.max_length`` are no longer normalized, since they cannot pass
+validation anyway.
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index bed23af..e73d4b8 100644
+--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
+@@ -6,7 +6,7 @@ from django import forms
+ from django.contrib.auth.forms import (
+     AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
+     PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
+-    SetPasswordForm, UserChangeForm, UserCreationForm,
+    SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
+ )
+ from django.contrib.auth.models import User
+ from django.contrib.auth.signals import user_login_failed
+@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
+         self.assertNotEqual(user.username, ohm_username)
+         self.assertEqual(user.username, 'testΩ')  # U+03A9 GREEK CAPITAL LETTER OMEGA
+    def test_invalid_username_no_normalize(self):
+        field = UsernameField(max_length=254)
+        # Usernames are not normalized if they are too long.
+        self.assertEqual(field.to_python("½" * 255), "½" * 255)
+        self.assertEqual(field.to_python("ﬀ" * 254), "ff" * 254)
+
+     def test_duplicate_normalized_unicode(self):
+         """
+         To prevent almost identical usernames, visually identical but differing
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index c35323f455..8c955e6bd8 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -8,6 +8,8 @@ inherit setuptools3
 SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2023-36053.patch \
            file://CVE-2023-41164.patch \
+            file://CVE-2023-43665.patch \
+            file://CVE-2023-46695.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch new file mode 100644 index 0000000000..dbfb9b68a8 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch
@@ -0,0 +1,199 @@
		1	From b269a0063e9b10a6c88c92b24d1b92c7421950de Mon Sep 17 00:00:00 2001
		2	From: Natalia <124304+nessita@users.noreply.github.com>
		3	Date: Wed, 29 Nov 2023 12:20:01 +0000
		4	Subject: [PATCH 1/2] Fixed CVE-2023-43665 -- Mitigated potential DoS in
		5	django.utils.text.Truncator when truncating HTML text.
		6
		7	Thanks Wenchao Li of Alibaba Group for the report.
		8
		9	CVE: CVE-2023-43665
		10
		11	Upstream-Status: Backport [https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5]
		12
		13	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		14	---
		15	django/utils/text.py \| 18 ++++++++++++++++-
		16	docs/ref/templates/builtins.txt \| 20 +++++++++++++++++++
		17	docs/releases/2.2.28.txt \| 20 +++++++++++++++++++
		18	tests/utils_tests/test_text.py \| 35 ++++++++++++++++++++++++---------
		19	4 files changed, 83 insertions(+), 10 deletions(-)
		20
		21	diff --git a/django/utils/text.py b/django/utils/text.py
		22	index 1fae7b2..06a377b 100644
		23	--- a/django/utils/text.py
		24	+++ b/django/utils/text.py
		25	@@ -57,7 +57,14 @@ def wrap(text, width):
		26	class Truncator(SimpleLazyObject):
		27	"""
		28	An object used to truncate text, either by characters or words.
		29	+
		30	+ When truncating HTML text (either chars or words), input will be limited to
		31	+ at most `MAX_LENGTH_HTML` characters.
		32	"""
		33	+
		34	+ # 5 million characters are approximately 4000 text pages or 3 web pages.
		35	+ MAX_LENGTH_HTML = 5_000_000
		36	+
		37	def __init__(self, text):
		38	super().__init__(lambda: str(text))
		39
		40	@@ -154,6 +161,11 @@ class Truncator(SimpleLazyObject):
		41	if words and length <= 0:
		42	return ''
		43
		44	+ size_limited = False
		45	+ if len(text) > self.MAX_LENGTH_HTML:
		46	+ text = text[: self.MAX_LENGTH_HTML]
		47	+ size_limited = True
		48	+
		49	html4_singlets = (
		50	'br', 'col', 'link', 'base', 'img',
		51	'param', 'area', 'hr', 'input'
		52	@@ -203,10 +215,14 @@ class Truncator(SimpleLazyObject):
		53	# Add it to the start of the open tags list
		54	open_tags.insert(0, tagname)
		55
		56	+ truncate_text = self.add_truncation_text("", truncate)
		57	+
		58	if current_len <= length:
		59	+ if size_limited and truncate_text:
		60	+ text += truncate_text
		61	return text
		62	+
		63	out = text[:end_text_pos]
		64	- truncate_text = self.add_truncation_text('', truncate)
		65	if truncate_text:
		66	out += truncate_text
		67	# Close any tags still open
		68	diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt
		69	index c4b0fa3..4faab38 100644
		70	--- a/docs/ref/templates/builtins.txt
		71	+++ b/docs/ref/templates/builtins.txt
		72	@@ -2318,6 +2318,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
		73
		74	Newlines in the HTML content will be preserved.
		75
		76	+.. admonition:: Size of input string
		77	+
		78	+ Processing large, potentially malformed HTML strings can be
		79	+ resource-intensive and impact service performance. ``truncatechars_html``
		80	+ limits input to the first five million characters.
		81	+
		82	+.. versionchanged:: 2.2.28
		83	+
		84	+ In older versions, strings over five million characters were processed.
		85	+
		86	.. templatefilter:: truncatewords
		87
		88	``truncatewords``
		89	@@ -2356,6 +2366,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be
		90
		91	Newlines in the HTML content will be preserved.
		92
		93	+.. admonition:: Size of input string
		94	+
		95	+ Processing large, potentially malformed HTML strings can be
		96	+ resource-intensive and impact service performance. ``truncatewords_html``
		97	+ limits input to the first five million characters.
		98	+
		99	+.. versionchanged:: 2.2.28
		100	+
		101	+ In older versions, strings over five million characters were processed.
		102	+
		103	.. templatefilter:: unordered_list
		104
		105	``unordered_list``
		106	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
		107	index 40eb230..6a38e9c 100644
		108	--- a/docs/releases/2.2.28.txt
		109	+++ b/docs/releases/2.2.28.txt
		110	@@ -56,3 +56,23 @@ CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.enco
		111	``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
		112	service attack via certain inputs with a very large number of Unicode
		113	characters.
		114	+
		115	+Backporting the CVE-2023-43665 fix on Django 2.2.28.
		116	+
		117	+CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator``
		118	+================================================================================
		119	+
		120	+Following the fix for :cve:`2019-14232`, the regular expressions used in the
		121	+implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()``
		122	+methods (with ``html=True``) were revised and improved. However, these regular
		123	+expressions still exhibited linear backtracking complexity, so when given a
		124	+very long, potentially malformed HTML input, the evaluation would still be
		125	+slow, leading to a potential denial of service vulnerability.
		126	+
		127	+The ``chars()`` and ``words()`` methods are used to implement the
		128	+:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template
		129	+filters, which were thus also vulnerable.
		130	+
		131	+The input processed by ``Truncator``, when operating in HTML mode, has been
		132	+limited to the first five million characters in order to avoid potential
		133	+performance and memory issues.
		134	diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py
		135	index 27e440b..cb3063d 100644
		136	--- a/tests/utils_tests/test_text.py
		137	+++ b/tests/utils_tests/test_text.py
		138	@@ -1,5 +1,6 @@
		139	import json
		140	import sys
		141	+from unittest.mock import patch
		142
		143	from django.core.exceptions import SuspiciousFileOperation
		144	from django.test import SimpleTestCase
		145	@@ -87,11 +88,17 @@ class TestUtilsText(SimpleTestCase):
		146	# lazy strings are handled correctly
		147	self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…')
		148
		149	- def test_truncate_chars_html(self):
		150	+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
		151	+ def test_truncate_chars_html_size_limit(self):
		152	+ max_len = text.Truncator.MAX_LENGTH_HTML
		153	+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
		154	+ valid_html = "<p>Joel is a slug</p>" # 14 chars
		155	perf_test_values = [
		156	- (('</a' + '\t' * 50000) + '//>', None),
		157	- ('&' * 50000, '&' * 9 + '…'),
		158	- ('_X<<<<<<<<<<<>', None),
		159	+ ("</a" + "\t" * (max_len - 6) + "//>", None),
		160	+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"),
		161	+ ("&" * bigger_len, "&" * 9 + "…"),
		162	+ ("_X<<<<<<<<<<<>", None),
		163	+ (valid_html * bigger_len, "<p>Joel is a…</p>"), # 10 chars
		164	]
		165	for value, expected in perf_test_values:
		166	with self.subTest(value=value):
		167	@@ -149,15 +156,25 @@ class TestUtilsText(SimpleTestCase):
		168	truncator = text.Truncator('<p>I <3 python, what about you?</p>')
		169	self.assertEqual('<p>I <3 python,…</p>', truncator.words(3, html=True))
		170
		171	+ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000)
		172	+ def test_truncate_words_html_size_limit(self):
		173	+ max_len = text.Truncator.MAX_LENGTH_HTML
		174	+ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1
		175	+ valid_html = "<p>Joel is a slug</p>" # 4 words
		176	perf_test_values = [
		177	- ('</a' + '\t' * 50000) + '//>',
		178	- '&' * 50000,
		179	- '_X<<<<<<<<<<<>',
		180	+ ("</a" + "\t" * (max_len - 6) + "//>", None),
		181	+ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"),
		182	+ ("&" * max_len, None), # no change
		183	+ ("&" * bigger_len, "&" * max_len + "…"),
		184	+ ("_X<<<<<<<<<<<>", None),
		185	+ (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"), # 50 words
		186	]
		187	- for value in perf_test_values:
		188	+ for value, expected in perf_test_values:
		189	with self.subTest(value=value):
		190	truncator = text.Truncator(value)
		191	- self.assertEqual(value, truncator.words(50, html=True))
		192	+ self.assertEqual(
		193	+ expected if expected else value, truncator.words(50, html=True)
		194	+ )
		195
		196	def test_wrap(self):
		197	digits = '1234 67 9'
		198	--
		199	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch new file mode 100644 index 0000000000..b7dda41f8f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
@@ -0,0 +1,90 @@
		1	From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
		2	From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
		3	Date: Wed, 29 Nov 2023 12:49:41 +0000
		4	Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
		5	UsernameField on Windows.
		6
		7	Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
		8
		9	CVE: CVE-2023-46695
		10
		11	Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
		12
		13	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
		14	---
		15	django/contrib/auth/forms.py \| 10 +++++++++-
		16	docs/releases/2.2.28.txt \| 14 ++++++++++++++
		17	tests/auth_tests/test_forms.py \| 8 +++++++-
		18	3 files changed, 30 insertions(+), 2 deletions(-)
		19
		20	diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
		21	index e6f73fe..26d3ca7 100644
		22	--- a/django/contrib/auth/forms.py
		23	+++ b/django/contrib/auth/forms.py
		24	@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
		25
		26	class UsernameField(forms.CharField):
		27	def to_python(self, value):
		28	- return unicodedata.normalize('NFKC', super().to_python(value))
		29	+ value = super().to_python(value)
		30	+ if self.max_length is not None and len(value) > self.max_length:
		31	+ # Normalization can increase the string length (e.g.
		32	+ # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
		33	+ # point in normalizing invalid data. Moreover, Unicode
		34	+ # normalization is very slow on Windows and can be a DoS attack
		35	+ # vector.
		36	+ return value
		37	+ return unicodedata.normalize("NFKC", value)
		38
		39
		40	class UserCreationForm(forms.ModelForm):
		41	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
		42	index 6a38e9c..c653cb6 100644
		43	--- a/docs/releases/2.2.28.txt
		44	+++ b/docs/releases/2.2.28.txt
		45	@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
		46	The input processed by ``Truncator``, when operating in HTML mode, has been
		47	limited to the first five million characters in order to avoid potential
		48	performance and memory issues.
		49	+
		50	+Backporting the CVE-2023-46695 fix on Django 2.2.28.
		51	+
		52	+CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
		53	+=========================================================================================
		54	+
		55	+The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
		56	+Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
		57	+subject to a potential denial of service attack via certain inputs with a very
		58	+large number of Unicode characters.
		59	+
		60	+In order to avoid the vulnerability, invalid values longer than
		61	+``UsernameField.max_length`` are no longer normalized, since they cannot pass
		62	+validation anyway.
		63	diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
		64	index bed23af..e73d4b8 100644
		65	--- a/tests/auth_tests/test_forms.py
		66	+++ b/tests/auth_tests/test_forms.py
		67	@@ -6,7 +6,7 @@ from django import forms
		68	from django.contrib.auth.forms import (
		69	AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
		70	PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
		71	- SetPasswordForm, UserChangeForm, UserCreationForm,
		72	+ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
		73	)
		74	from django.contrib.auth.models import User
		75	from django.contrib.auth.signals import user_login_failed
		76	@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
		77	self.assertNotEqual(user.username, ohm_username)
		78	self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA
		79
		80	+ def test_invalid_username_no_normalize(self):
		81	+ field = UsernameField(max_length=254)
		82	+ # Usernames are not normalized if they are too long.
		83	+ self.assertEqual(field.to_python("½" * 255), "½" * 255)
		84	+ self.assertEqual(field.to_python("ﬀ" * 254), "ff" * 254)
		85	+
		86	def test_duplicate_normalized_unicode(self):
		87	"""
		88	To prevent almost identical usernames, visually identical but differing
		89	--
		90	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index c35323f455..8c955e6bd8 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -8,6 +8,8 @@ inherit setuptools3
8	SRC_URI += "file://CVE-2023-31047.patch \	8	SRC_URI += "file://CVE-2023-31047.patch \
9	file://CVE-2023-36053.patch \	9	file://CVE-2023-36053.patch \
10	file://CVE-2023-41164.patch \	10	file://CVE-2023-41164.patch \
		11	file://CVE-2023-43665.patch \
		12	file://CVE-2023-46695.patch \
11	"	13	"
12		14
13	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	15	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"