1 files changed, 120 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-45231.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-45231.patch
new file mode 100644
index 0000000000..2a0925ea9f
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-45231.patch
@@ -0,0 +1,120 @@
+From bf4888d317ba4506d091eeac6e8b4f1fcc731199 Mon Sep 17 00:00:00 2001
+From: Natalia <124304+nessita@users.noreply.github.com>
+Date: Mon, 19 Aug 2024 14:47:38 -0300
+Subject: [PATCH] [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on
+ password reset when email sending fails.
+On successful submission of a password reset request, an email is sent
+to the accounts known to the system. If sending this email fails (due to
+email backend misconfiguration, service provider outage, network issues,
+etc.), an attacker might exploit this by detecting which password reset
+requests succeed and which ones generate a 500 error response.
+Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
+Johnson, and Sarah Boyce for the reviews.
+CVE: CVE-2024-45231
+Upstream-Status: Backport [https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/contrib/auth/forms.py   |  9 ++++++++-
+ docs/topics/auth/default.txt   |  4 +++-
+ tests/auth_tests/test_forms.py | 21 +++++++++++++++++++++
+ tests/mail/custombackend.py    |  5 +++++
+ 4 files changed, 37 insertions(+), 2 deletions(-)
+diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
+index 26d3ca7..dc640a5 100644
+--- a/django/contrib/auth/forms.py
+++ b/django/contrib/auth/forms.py
+@@ -1,3 +1,4 @@
+import logging
+ import unicodedata
+ from django import forms
+@@ -18,6 +19,7 @@ from django.utils.text import capfirst
+ from django.utils.translation import gettext, gettext_lazy as _
+ UserModel = get_user_model()
+logger = logging.getLogger("django.contrib.auth")
+ def _unicode_ci_compare(s1, s2):
+@@ -264,7 +266,12 @@ class PasswordResetForm(forms.Form):
+             html_email = loader.render_to_string(html_email_template_name, context)
+             email_message.attach_alternative(html_email, 'text/html')
+-        email_message.send()
+        try:
+            email_message.send()
+        except Exception:
+            logger.exception(
+                "Failed to send password reset email to %s", context["user"].pk
+            )
+     def get_users(self, email):
+         """Given an email, return matching user(s) who should receive a reset.
+diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
+index 1af4951..6fdf700 100644
+--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
+@@ -1530,7 +1530,9 @@ provides several built-in forms located in :mod:`django.contrib.auth.forms`:
+     .. method:: send_mail(subject_template_name, email_template_name, context, from_email, to_email, html_email_template_name=None)
+         Uses the arguments to send an ``EmailMultiAlternatives``.
+-        Can be overridden to customize how the email is sent to the user.
+        Can be overridden to customize how the email is sent to the user. If
+        you choose to override this method, be mindful of handling potential
+        exceptions raised due to email sending failures.
+         :param subject_template_name: the template for the subject.
+         :param email_template_name: the template for the email body.
+diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
+index e73d4b8..a45fd70 100644
+--- a/tests/auth_tests/test_forms.py
+++ b/tests/auth_tests/test_forms.py
+@@ -935,6 +935,27 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
+             message.get_payload(1).get_payload()
+         ))
+    @override_settings(EMAIL_BACKEND="mail.custombackend.FailingEmailBackend")
+    def test_save_send_email_exceptions_are_catched_and_logged(self):
+        (user, username, email) = self.create_dummy_user()
+        form = PasswordResetForm({"email": email})
+        self.assertTrue(form.is_valid())
+
+        with self.assertLogs("django.contrib.auth", level=0) as cm:
+            form.save()
+
+        self.assertEqual(len(mail.outbox), 0)
+        self.assertEqual(len(cm.output), 1)
+        errors = cm.output[0].split("\n")
+        pk = user.pk
+        self.assertEqual(
+            errors[0],
+            f"ERROR:django.contrib.auth:Failed to send password reset email to {pk}",
+        )
+        self.assertEqual(
+            errors[-1], "ValueError: FailingEmailBackend is doomed to fail."
+        )
+
+     @override_settings(AUTH_USER_MODEL='auth_tests.CustomEmailField')
+     def test_custom_email_field(self):
+         email = 'test@mail.com'
+diff --git a/tests/mail/custombackend.py b/tests/mail/custombackend.py
+index fd57777..3e161d1 100644
+--- a/tests/mail/custombackend.py
+++ b/tests/mail/custombackend.py
+@@ -13,3 +13,8 @@ class EmailBackend(BaseEmailBackend):
+         # Messages are stored in an instance variable for testing.
+         self.test_outbox.extend(email_messages)
+         return len(email_messages)
+
+
+class FailingEmailBackend(BaseEmailBackend):
+    def send_messages(self, email_messages):
+        raise ValueError("FailingEmailBackend is doomed to fail.")
+--
+2.40.0

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-45231.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-45231.patch new file mode 100644 index 0000000000..2a0925ea9f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-45231.patch
@@ -0,0 +1,120 @@
	1	From bf4888d317ba4506d091eeac6e8b4f1fcc731199 Mon Sep 17 00:00:00 2001
	2	From: Natalia <124304+nessita@users.noreply.github.com>
	3	Date: Mon, 19 Aug 2024 14:47:38 -0300
	4	Subject: [PATCH] [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on
	5	password reset when email sending fails.
	6
	7	On successful submission of a password reset request, an email is sent
	8	to the accounts known to the system. If sending this email fails (due to
	9	email backend misconfiguration, service provider outage, network issues,
	10	etc.), an attacker might exploit this by detecting which password reset
	11	requests succeed and which ones generate a 500 error response.
	12
	13	Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
	14	Johnson, and Sarah Boyce for the reviews.
	15
	16	CVE: CVE-2024-45231
	17
	18	Upstream-Status: Backport [https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199]
	19
	20	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
	21	---
	22	django/contrib/auth/forms.py \| 9 ++++++++-
	23	docs/topics/auth/default.txt \| 4 +++-
	24	tests/auth_tests/test_forms.py \| 21 +++++++++++++++++++++
	25	tests/mail/custombackend.py \| 5 +++++
	26	4 files changed, 37 insertions(+), 2 deletions(-)
	27
	28	diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py
	29	index 26d3ca7..dc640a5 100644
	30	--- a/django/contrib/auth/forms.py
	31	+++ b/django/contrib/auth/forms.py
	32	@@ -1,3 +1,4 @@
	33	+import logging
	34	import unicodedata
	35
	36	from django import forms
	37	@@ -18,6 +19,7 @@ from django.utils.text import capfirst
	38	from django.utils.translation import gettext, gettext_lazy as _
	39
	40	UserModel = get_user_model()
	41	+logger = logging.getLogger("django.contrib.auth")
	42
	43
	44	def _unicode_ci_compare(s1, s2):
	45	@@ -264,7 +266,12 @@ class PasswordResetForm(forms.Form):
	46	html_email = loader.render_to_string(html_email_template_name, context)
	47	email_message.attach_alternative(html_email, 'text/html')
	48
	49	- email_message.send()
	50	+ try:
	51	+ email_message.send()
	52	+ except Exception:
	53	+ logger.exception(
	54	+ "Failed to send password reset email to %s", context["user"].pk
	55	+ )
	56
	57	def get_users(self, email):
	58	"""Given an email, return matching user(s) who should receive a reset.
	59	diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
	60	index 1af4951..6fdf700 100644
	61	--- a/docs/topics/auth/default.txt
	62	+++ b/docs/topics/auth/default.txt
	63	@@ -1530,7 +1530,9 @@ provides several built-in forms located in :mod:`django.contrib.auth.forms`:
	64	.. method:: send_mail(subject_template_name, email_template_name, context, from_email, to_email, html_email_template_name=None)
	65
	66	Uses the arguments to send an ``EmailMultiAlternatives``.
	67	- Can be overridden to customize how the email is sent to the user.
	68	+ Can be overridden to customize how the email is sent to the user. If
	69	+ you choose to override this method, be mindful of handling potential
	70	+ exceptions raised due to email sending failures.
	71
	72	:param subject_template_name: the template for the subject.
	73	:param email_template_name: the template for the email body.
	74	diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py
	75	index e73d4b8..a45fd70 100644
	76	--- a/tests/auth_tests/test_forms.py
	77	+++ b/tests/auth_tests/test_forms.py
	78	@@ -935,6 +935,27 @@ class PasswordResetFormTest(TestDataMixin, TestCase):
	79	message.get_payload(1).get_payload()
	80	))
	81
	82	+ @override_settings(EMAIL_BACKEND="mail.custombackend.FailingEmailBackend")
	83	+ def test_save_send_email_exceptions_are_catched_and_logged(self):
	84	+ (user, username, email) = self.create_dummy_user()
	85	+ form = PasswordResetForm({"email": email})
	86	+ self.assertTrue(form.is_valid())
	87	+
	88	+ with self.assertLogs("django.contrib.auth", level=0) as cm:
	89	+ form.save()
	90	+
	91	+ self.assertEqual(len(mail.outbox), 0)
	92	+ self.assertEqual(len(cm.output), 1)
	93	+ errors = cm.output[0].split("\n")
	94	+ pk = user.pk
	95	+ self.assertEqual(
	96	+ errors[0],
	97	+ f"ERROR:django.contrib.auth:Failed to send password reset email to {pk}",
	98	+ )
	99	+ self.assertEqual(
	100	+ errors[-1], "ValueError: FailingEmailBackend is doomed to fail."
	101	+ )
	102	+
	103	@override_settings(AUTH_USER_MODEL='auth_tests.CustomEmailField')
	104	def test_custom_email_field(self):
	105	email = 'test@mail.com'
	106	diff --git a/tests/mail/custombackend.py b/tests/mail/custombackend.py
	107	index fd57777..3e161d1 100644
	108	--- a/tests/mail/custombackend.py
	109	+++ b/tests/mail/custombackend.py
	110	@@ -13,3 +13,8 @@ class EmailBackend(BaseEmailBackend):
	111	# Messages are stored in an instance variable for testing.
	112	self.test_outbox.extend(email_messages)
	113	return len(email_messages)
	114	+
	115	+
	116	+class FailingEmailBackend(BaseEmailBackend):
	117	+ def send_messages(self, email_messages):
	118	+ raise ValueError("FailingEmailBackend is doomed to fail.")
	119	--
	120	2.40.0