2 files changed, 109 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-23969.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-23969.patch
new file mode 100644
index 0000000000..42e25ad3be
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-23969.patch
@@ -0,0 +1,108 @@
+From c7e0151fdf33e1b11d488b6f67b94fdf3a30614a Mon Sep 17 00:00:00 2001
+From: Nick Pope <nick@nickpope.me.uk>
+Date: Wed, 25 Jan 2023 12:21:48 +0100
+Subject: [PATCH] [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with
+ pathological values for Accept-Language.
+The parsed values of Accept-Language headers are cached in order to
+avoid repetitive parsing. This leads to a potential denial-of-service
+vector via excessive memory usage if the raw value of Accept-Language
+headers is very large.
+Accept-Language headers are now limited to a maximum length in order
+to avoid this issue.
+CVE: CVE-2023-23969
+Upstream-Status: Backport [https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ django/utils/translation/trans_real.py | 30 +++++++++++++++++++++++++-
+ tests/i18n/tests.py                    | 12 +++++++++++
+ 2 files changed, 41 insertions(+), 1 deletion(-)
+diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
+index 486b2b2..7f658cf 100644
+--- a/django/utils/translation/trans_real.py
+++ b/django/utils/translation/trans_real.py
+@@ -29,6 +29,10 @@ _default = None
+ # magic gettext number to separate context from message
+ CONTEXT_SEPARATOR = "\x04"
+# Maximum number of characters that will be parsed from the Accept-Language
+# header to prevent possible denial of service or memory exhaustion attacks.
+ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
+
+ # Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
+ # and RFC 3066, section 2.1
+ accept_language_re = re.compile(r'''
+@@ -560,7 +564,7 @@ def get_language_from_request(request, check_path=False):
+ @functools.lru_cache(maxsize=1000)
+-def parse_accept_lang_header(lang_string):
+def _parse_accept_lang_header(lang_string):
+     """
+     Parse the lang_string, which is the body of an HTTP Accept-Language
+     header, and return a tuple of (lang, q-value), ordered by 'q' values.
+@@ -582,3 +586,27 @@ def parse_accept_lang_header(lang_string):
+         result.append((lang, priority))
+     result.sort(key=lambda k: k[1], reverse=True)
+     return tuple(result)
+
+
+def parse_accept_lang_header(lang_string):
+    """
+    Parse the value of the Accept-Language header up to a maximum length.
+
+    The value of the header is truncated to a maximum length to avoid potential
+    denial of service and memory exhaustion attacks. Excessive memory could be
+    used if the raw value is very large as it would be cached due to the use of
+    `functools.lru_cache()` to avoid repetitive parsing of common header values.
+    """
+    # If the header value doesn't exceed the maximum allowed length, parse it.
+    if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
+        return _parse_accept_lang_header(lang_string)
+
+    # If there is at least one comma in the value, parse up to the last comma,
+    # skipping any truncated parts at the end of the header value.
+    index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)
+    if index > 0:
+        return _parse_accept_lang_header(lang_string[:index])
+
+    # Don't attempt to parse if there is only one language-range value which is
+    # longer than the maximum allowed length and so truncated.
+    return ()
+diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
+index 7381cb9..6efc3a5 100644
+--- a/tests/i18n/tests.py
+++ b/tests/i18n/tests.py
+@@ -1282,6 +1282,14 @@ class MiscTests(SimpleTestCase):
+             ('de;q=0.', [('de', 0.0)]),
+             ('en; q=1,', [('en', 1.0)]),
+             ('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]),
+            (
+                'en' + '-x' * 20,
+                [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)],
+            ),
+            (
+                ', '.join(['en; q=1.0'] * 20),
+                [('en', 1.0)] * 20,
+            ),
+             # Bad headers
+             ('en-gb;q=1.0000', []),
+             ('en;q=0.1234', []),
+@@ -1297,6 +1305,10 @@ class MiscTests(SimpleTestCase):
+             ('12-345', []),
+             ('', []),
+             ('en;q=1e0', []),
+            # Invalid as language-range value too long.
+            ('xxxxxxxx' + '-xxxxxxxx' * 500, []),
+            # Header value too long, only parse up to limit.
+            (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45),
+         ]
+         for value, expected in tests:
+             with self.subTest(value=value):
+--
+2.40.0
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index f082de9d72..d8fc147f19 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
            file://CVE-2024-24680.patch \
            file://CVE-2024-42005.patch \
            file://CVE-2024-38875.patch \
+            file://CVE-2023-23969.patch \
           "
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"

diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-23969.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-23969.patch new file mode 100644 index 0000000000..42e25ad3be --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-23969.patch
@@ -0,0 +1,108 @@
		1	From c7e0151fdf33e1b11d488b6f67b94fdf3a30614a Mon Sep 17 00:00:00 2001
		2	From: Nick Pope <nick@nickpope.me.uk>
		3	Date: Wed, 25 Jan 2023 12:21:48 +0100
		4	Subject: [PATCH] [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with
		5	pathological values for Accept-Language.
		6
		7	The parsed values of Accept-Language headers are cached in order to
		8	avoid repetitive parsing. This leads to a potential denial-of-service
		9	vector via excessive memory usage if the raw value of Accept-Language
		10	headers is very large.
		11
		12	Accept-Language headers are now limited to a maximum length in order
		13	to avoid this issue.
		14
		15	CVE: CVE-2023-23969
		16
		17	Upstream-Status: Backport [https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a]
		18
		19	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		20	---
		21	django/utils/translation/trans_real.py \| 30 +++++++++++++++++++++++++-
		22	tests/i18n/tests.py \| 12 +++++++++++
		23	2 files changed, 41 insertions(+), 1 deletion(-)
		24
		25	diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
		26	index 486b2b2..7f658cf 100644
		27	--- a/django/utils/translation/trans_real.py
		28	+++ b/django/utils/translation/trans_real.py
		29	@@ -29,6 +29,10 @@ _default = None
		30	# magic gettext number to separate context from message
		31	CONTEXT_SEPARATOR = "\x04"
		32
		33	+# Maximum number of characters that will be parsed from the Accept-Language
		34	+# header to prevent possible denial of service or memory exhaustion attacks.
		35	+ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
		36	+
		37	# Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
		38	# and RFC 3066, section 2.1
		39	accept_language_re = re.compile(r'''
		40	@@ -560,7 +564,7 @@ def get_language_from_request(request, check_path=False):
		41
		42
		43	@functools.lru_cache(maxsize=1000)
		44	-def parse_accept_lang_header(lang_string):
		45	+def _parse_accept_lang_header(lang_string):
		46	"""
		47	Parse the lang_string, which is the body of an HTTP Accept-Language
		48	header, and return a tuple of (lang, q-value), ordered by 'q' values.
		49	@@ -582,3 +586,27 @@ def parse_accept_lang_header(lang_string):
		50	result.append((lang, priority))
		51	result.sort(key=lambda k: k[1], reverse=True)
		52	return tuple(result)
		53	+
		54	+
		55	+def parse_accept_lang_header(lang_string):
		56	+ """
		57	+ Parse the value of the Accept-Language header up to a maximum length.
		58	+
		59	+ The value of the header is truncated to a maximum length to avoid potential
		60	+ denial of service and memory exhaustion attacks. Excessive memory could be
		61	+ used if the raw value is very large as it would be cached due to the use of
		62	+ `functools.lru_cache()` to avoid repetitive parsing of common header values.
		63	+ """
		64	+ # If the header value doesn't exceed the maximum allowed length, parse it.
		65	+ if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
		66	+ return _parse_accept_lang_header(lang_string)
		67	+
		68	+ # If there is at least one comma in the value, parse up to the last comma,
		69	+ # skipping any truncated parts at the end of the header value.
		70	+ index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)
		71	+ if index > 0:
		72	+ return _parse_accept_lang_header(lang_string[:index])
		73	+
		74	+ # Don't attempt to parse if there is only one language-range value which is
		75	+ # longer than the maximum allowed length and so truncated.
		76	+ return ()
		77	diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
		78	index 7381cb9..6efc3a5 100644
		79	--- a/tests/i18n/tests.py
		80	+++ b/tests/i18n/tests.py
		81	@@ -1282,6 +1282,14 @@ class MiscTests(SimpleTestCase):
		82	('de;q=0.', [('de', 0.0)]),
		83	('en; q=1,', [('en', 1.0)]),
		84	('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]),
		85	+ (
		86	+ 'en' + '-x' * 20,
		87	+ [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)],
		88	+ ),
		89	+ (
		90	+ ', '.join(['en; q=1.0'] * 20),
		91	+ [('en', 1.0)] * 20,
		92	+ ),
		93	# Bad headers
		94	('en-gb;q=1.0000', []),
		95	('en;q=0.1234', []),
		96	@@ -1297,6 +1305,10 @@ class MiscTests(SimpleTestCase):
		97	('12-345', []),
		98	('', []),
		99	('en;q=1e0', []),
		100	+ # Invalid as language-range value too long.
		101	+ ('xxxxxxxx' + '-xxxxxxxx' * 500, []),
		102	+ # Header value too long, only parse up to limit.
		103	+ (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45),
		104	]
		105	for value, expected in tests:
		106	with self.subTest(value=value):
		107	--
		108	2.40.0


diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index f082de9d72..d8fc147f19 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -13,6 +13,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
13	file://CVE-2024-24680.patch \	13	file://CVE-2024-24680.patch \
14	file://CVE-2024-42005.patch \	14	file://CVE-2024-42005.patch \
15	file://CVE-2024-38875.patch \	15	file://CVE-2024-38875.patch \
		16	file://CVE-2023-23969.patch \
16	"	17	"
17		18
18	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"	19	SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"