mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
python3-django: Fix CVE-2024-39614
An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2.14. get_supported_language_variant() was subject to a potential denial-of-service attack when used with very long strings containing specific characters. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-39614 Upstream-patch: https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
e13c721bed
commit
91d60c9b0a
@@ -0,0 +1,138 @@
|
|||||||
|
From 17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
||||||
|
Date: Wed, 26 Jun 2024 12:11:54 +0200
|
||||||
|
Subject: [PATCH] [4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in
|
||||||
|
get_supported_language_variant().
|
||||||
|
|
||||||
|
Language codes are now parsed with a maximum length limit of 500 chars.
|
||||||
|
|
||||||
|
Thanks to MProgrammer for the report.
|
||||||
|
|
||||||
|
CVE: CVE-2024-39614
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3]
|
||||||
|
|
||||||
|
Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
|
||||||
|
---
|
||||||
|
django/utils/translation/trans_real.py | 24 ++++++++++++++++++++----
|
||||||
|
docs/ref/utils.txt | 10 ++++++++++
|
||||||
|
tests/i18n/tests.py | 11 +++++++++++
|
||||||
|
3 files changed, 41 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
|
||||||
|
index 7f658cf..56b4ef1 100644
|
||||||
|
--- a/django/utils/translation/trans_real.py
|
||||||
|
+++ b/django/utils/translation/trans_real.py
|
||||||
|
@@ -30,8 +30,10 @@ _default = None
|
||||||
|
CONTEXT_SEPARATOR = "\x04"
|
||||||
|
|
||||||
|
# Maximum number of characters that will be parsed from the Accept-Language
|
||||||
|
-# header to prevent possible denial of service or memory exhaustion attacks.
|
||||||
|
-ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
|
||||||
|
+# header or cookie to prevent possible denial of service or memory exhaustion
|
||||||
|
+# attacks. About 10x longer than the longest value shown on MDN’s
|
||||||
|
+# Accept-Language page.
|
||||||
|
+LANGUAGE_CODE_MAX_LENGTH = 500
|
||||||
|
|
||||||
|
# Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
|
||||||
|
# and RFC 3066, section 2.1
|
||||||
|
@@ -472,11 +474,25 @@ def get_supported_language_variant(lang_code, strict=False):
|
||||||
|
If `strict` is False (the default), look for a country-specific variant
|
||||||
|
when neither the language code nor its generic variant is found.
|
||||||
|
|
||||||
|
+ The language code is truncated to a maximum length to avoid potential
|
||||||
|
+ denial of service attacks.
|
||||||
|
+
|
||||||
|
lru_cache should have a maxsize to prevent from memory exhaustion attacks,
|
||||||
|
as the provided language codes are taken from the HTTP request. See also
|
||||||
|
<https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>.
|
||||||
|
"""
|
||||||
|
if lang_code:
|
||||||
|
+ # Truncate the language code to a maximum length to avoid potential
|
||||||
|
+ # denial of service attacks.
|
||||||
|
+ if len(lang_code) > LANGUAGE_CODE_MAX_LENGTH:
|
||||||
|
+ if (
|
||||||
|
+ not strict
|
||||||
|
+ and (index := lang_code.rfind("-", 0, LANGUAGE_CODE_MAX_LENGTH)) > 0
|
||||||
|
+ ):
|
||||||
|
+ # There is a generic variant under the maximum length accepted length.
|
||||||
|
+ lang_code = lang_code[:index]
|
||||||
|
+ else:
|
||||||
|
+ raise ValueError("'lang_code' exceeds the maximum accepted length")
|
||||||
|
# If 'fr-ca' is not supported, try special fallback or language-only 'fr'.
|
||||||
|
possible_lang_codes = [lang_code]
|
||||||
|
try:
|
||||||
|
@@ -598,12 +614,12 @@ def parse_accept_lang_header(lang_string):
|
||||||
|
`functools.lru_cache()` to avoid repetitive parsing of common header values.
|
||||||
|
"""
|
||||||
|
# If the header value doesn't exceed the maximum allowed length, parse it.
|
||||||
|
- if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
|
||||||
|
+ if len(lang_string) <= LANGUAGE_CODE_MAX_LENGTH:
|
||||||
|
return _parse_accept_lang_header(lang_string)
|
||||||
|
|
||||||
|
# If there is at least one comma in the value, parse up to the last comma,
|
||||||
|
# skipping any truncated parts at the end of the header value.
|
||||||
|
- index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)
|
||||||
|
+ index = lang_string.rfind(",", 0, LANGUAGE_CODE_MAX_LENGTH)
|
||||||
|
if index > 0:
|
||||||
|
return _parse_accept_lang_header(lang_string[:index])
|
||||||
|
|
||||||
|
diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
|
||||||
|
index 390f167..63a56e5 100644
|
||||||
|
--- a/docs/ref/utils.txt
|
||||||
|
+++ b/docs/ref/utils.txt
|
||||||
|
@@ -1142,6 +1142,11 @@ functions without the ``u``.
|
||||||
|
``lang_code`` is ``'es-ar'`` and ``'es'`` is in :setting:`LANGUAGES` but
|
||||||
|
``'es-ar'`` isn't.
|
||||||
|
|
||||||
|
+ ``lang_code`` has a maximum accepted length of 500 characters. A
|
||||||
|
+ :exc:`ValueError` is raised if ``lang_code`` exceeds this limit and
|
||||||
|
+ ``strict`` is ``True``, or if there is no generic variant and ``strict``
|
||||||
|
+ is ``False``.
|
||||||
|
+
|
||||||
|
If ``strict`` is ``False`` (the default), a country-specific variant may
|
||||||
|
be returned when neither the language code nor its generic variant is found.
|
||||||
|
For example, if only ``'es-co'`` is in :setting:`LANGUAGES`, that's
|
||||||
|
@@ -1150,6 +1155,11 @@ functions without the ``u``.
|
||||||
|
|
||||||
|
Raises :exc:`LookupError` if nothing is found.
|
||||||
|
|
||||||
|
+ .. versionchanged:: 4.2.14
|
||||||
|
+
|
||||||
|
+ In older versions, ``lang_code`` values over 500 characters were
|
||||||
|
+ processed without raising a :exc:`ValueError`.
|
||||||
|
+
|
||||||
|
.. function:: to_locale(language)
|
||||||
|
|
||||||
|
Turns a language name (en-us) into a locale name (en_US).
|
||||||
|
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
|
||||||
|
index 6efc3a5..0e93395 100644
|
||||||
|
--- a/tests/i18n/tests.py
|
||||||
|
+++ b/tests/i18n/tests.py
|
||||||
|
@@ -39,6 +39,7 @@ from django.utils.translation import (
|
||||||
|
from django.utils.translation.reloader import (
|
||||||
|
translation_file_changed, watch_for_translation_changes,
|
||||||
|
)
|
||||||
|
+from django.utils.translation.trans_real import LANGUAGE_CODE_MAX_LENGTH
|
||||||
|
|
||||||
|
from .forms import CompanyForm, I18nForm, SelectDateForm
|
||||||
|
from .models import Company, TestModel
|
||||||
|
@@ -1462,6 +1463,16 @@ class MiscTests(SimpleTestCase):
|
||||||
|
g('xyz')
|
||||||
|
with self.assertRaises(LookupError):
|
||||||
|
g('xy-zz')
|
||||||
|
+ msg = "'lang_code' exceeds the maximum accepted length"
|
||||||
|
+ with self.assertRaises(LookupError):
|
||||||
|
+ g("x" * LANGUAGE_CODE_MAX_LENGTH)
|
||||||
|
+ with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
+ g("x" * (LANGUAGE_CODE_MAX_LENGTH + 1))
|
||||||
|
+ # 167 * 3 = 501 which is LANGUAGE_CODE_MAX_LENGTH + 1.
|
||||||
|
+ self.assertEqual(g("en-" * 167), "en")
|
||||||
|
+ with self.assertRaisesMessage(ValueError, msg):
|
||||||
|
+ g("en-" * 167, strict=True)
|
||||||
|
+ self.assertEqual(g("en-" * 30000), "en") # catastrophic test
|
||||||
|
|
||||||
|
def test_get_supported_language_variant_null(self):
|
||||||
|
g = trans_null.get_supported_language_variant
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -14,6 +14,7 @@ SRC_URI += "file://CVE-2023-31047.patch \
|
|||||||
file://CVE-2024-42005.patch \
|
file://CVE-2024-42005.patch \
|
||||||
file://CVE-2024-38875.patch \
|
file://CVE-2024-38875.patch \
|
||||||
file://CVE-2023-23969.patch \
|
file://CVE-2023-23969.patch \
|
||||||
|
file://CVE-2024-39614.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
|
SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
|
||||||
|
|||||||
Reference in New Issue
Block a user