1 files changed, 90 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
new file mode 100644
index 0000000000..b7dda41f8f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
@@ -0,0 +1,90 @@
+From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
+From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
+Date: Wed, 29 Nov 2023 12:49:41 +0000
+Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
+ UsernameField on Windows.
+Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
+CVE: CVE-2023-46695
+Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
+Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
+---
+ django/contrib/auth/forms.py   | 10 +++++++++-
+ docs/releases/2.2.28.txt       | 14 ++++++++++++++
+ tests/auth_tests/test_forms.py |  8 +++++++-
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index e6f73fe..26d3ca7 100644
+--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
+@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
+ class UsernameField(forms.CharField):
+     def to_python(self, value):
+-        return unicodedata.normalize('NFKC', super().to_python(value))
+        value = super().to_python(value)
+        if self.max_length is not None and len(value) > self.max_length:
+            # Normalization can increase the string length (e.g.
+            # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
+            # point in normalizing invalid data. Moreover, Unicode
+            # normalization is very slow on Windows and can be a DoS attack
+            # vector.
+            return value
+        return unicodedata.normalize("NFKC", value)
+ class UserCreationForm(forms.ModelForm):
+diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
+index 6a38e9c..c653cb6 100644
+--- a/docs/releases/2.2.28.txt
+++ b/docs/releases/2.2.28.txt
+@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
+ The input processed by ``Truncator``, when operating in HTML mode, has been
+ limited to the first five million characters in order to avoid potential
+ performance and memory issues.
+
+Backporting the CVE-2023-46695 fix on Django 2.2.28.
+
+CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
+=========================================================================================
+
+The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
+Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
+subject to a potential denial of service attack via certain inputs with a very
+large number of Unicode characters.
+
+In order to avoid the vulnerability, invalid values longer than
+``UsernameField.max_length`` are no longer normalized, since they cannot pass
+validation anyway.
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index bed23af..e73d4b8 100644
+--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
+@@ -6,7 +6,7 @@ from django import forms
+ from django.contrib.auth.forms import (
+     AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
+     PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
+-    SetPasswordForm, UserChangeForm, UserCreationForm,
+    SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
+ )
+ from django.contrib.auth.models import User
+ from django.contrib.auth.signals import user_login_failed
+@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
+         self.assertNotEqual(user.username, ohm_username)
+         self.assertEqual(user.username, 'testΩ')  # U+03A9 GREEK CAPITAL LETTER OMEGA
+    def test_invalid_username_no_normalize(self):
+        field = UsernameField(max_length=254)
+        # Usernames are not normalized if they are too long.
+        self.assertEqual(field.to_python("½" * 255), "½" * 255)
+        self.assertEqual(field.to_python("ﬀ" * 254), "ff" * 254)
+
+     def test_duplicate_normalized_unicode(self):
+         """
+         To prevent almost identical usernames, visually identical but differing
+--
+2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch new file mode 100644 index 0000000000..b7dda41f8f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch
@@ -0,0 +1,90 @@
	1	From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001
	2	From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
	3	Date: Wed, 29 Nov 2023 12:49:41 +0000
	4	Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in
	5	UsernameField on Windows.
	6
	7	Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
	8
	9	CVE: CVE-2023-46695
	10
	11	Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b]
	12
	13	Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
	14	---
	15	django/contrib/auth/forms.py \| 10 +++++++++-
	16	docs/releases/2.2.28.txt \| 14 ++++++++++++++
	17	tests/auth_tests/test_forms.py \| 8 +++++++-
	18	3 files changed, 30 insertions(+), 2 deletions(-)
	19
	20	diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
	21	index e6f73fe..26d3ca7 100644
	22	--- a/django/contrib/auth/forms.py
	23	+++ b/django/contrib/auth/forms.py
	24	@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field):
	25
	26	class UsernameField(forms.CharField):
	27	def to_python(self, value):
	28	- return unicodedata.normalize('NFKC', super().to_python(value))
	29	+ value = super().to_python(value)
	30	+ if self.max_length is not None and len(value) > self.max_length:
	31	+ # Normalization can increase the string length (e.g.
	32	+ # "ﬀ" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no
	33	+ # point in normalizing invalid data. Moreover, Unicode
	34	+ # normalization is very slow on Windows and can be a DoS attack
	35	+ # vector.
	36	+ return value
	37	+ return unicodedata.normalize("NFKC", value)
	38
	39
	40	class UserCreationForm(forms.ModelForm):
	41	diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt
	42	index 6a38e9c..c653cb6 100644
	43	--- a/docs/releases/2.2.28.txt
	44	+++ b/docs/releases/2.2.28.txt
	45	@@ -76,3 +76,17 @@ filters, which were thus also vulnerable.
	46	The input processed by ``Truncator``, when operating in HTML mode, has been
	47	limited to the first five million characters in order to avoid potential
	48	performance and memory issues.
	49	+
	50	+Backporting the CVE-2023-46695 fix on Django 2.2.28.
	51	+
	52	+CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows
	53	+=========================================================================================
	54	+
	55	+The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on
	56	+Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was
	57	+subject to a potential denial of service attack via certain inputs with a very
	58	+large number of Unicode characters.
	59	+
	60	+In order to avoid the vulnerability, invalid values longer than
	61	+``UsernameField.max_length`` are no longer normalized, since they cannot pass
	62	+validation anyway.
	63	diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
	64	index bed23af..e73d4b8 100644
	65	--- a/tests/auth_tests/test_forms.py
	66	+++ b/tests/auth_tests/test_forms.py
	67	@@ -6,7 +6,7 @@ from django import forms
	68	from django.contrib.auth.forms import (
	69	AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm,
	70	PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget,
	71	- SetPasswordForm, UserChangeForm, UserCreationForm,
	72	+ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField,
	73	)
	74	from django.contrib.auth.models import User
	75	from django.contrib.auth.signals import user_login_failed
	76	@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase):
	77	self.assertNotEqual(user.username, ohm_username)
	78	self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA
	79
	80	+ def test_invalid_username_no_normalize(self):
	81	+ field = UsernameField(max_length=254)
	82	+ # Usernames are not normalized if they are too long.
	83	+ self.assertEqual(field.to_python("½" * 255), "½" * 255)
	84	+ self.assertEqual(field.to_python("ﬀ" * 254), "ff" * 254)
	85	+
	86	def test_duplicate_normalized_unicode(self):
	87	"""
	88	To prevent almost identical usernames, visually identical but differing
	89	--
	90	2.40.0