From 3f41d6d62929dfe53eda8109b3b836f26645bdce Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Tue, 22 Aug 2023 08:53:03 +0200 Subject: [PATCH] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com> --- django/utils/encoding.py | 6 ++++-- docs/releases/3.2.21.txt | 7 ++++++- docs/releases/4.1.11.txt | 7 ++++++- docs/releases/4.2.5.txt | 7 +++++++ tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++- 5 files changed, 43 insertions(+), 5 deletions(-) diff --git a/django/utils/encoding.py b/django/utils/encoding.py index 5b618e74a3..5986993759 100644 --- a/django/utils/encoding.py +++ b/django/utils/encoding.py @@ -220,6 +220,7 @@ def repercent_broken_unicode(path): repercent-encode any octet produced that is not part of a strictly legal UTF-8 octet sequence. """ + changed_parts = [] while True: try: path.decode() @@ -227,9 +228,10 @@ def repercent_broken_unicode(path): # CVE-2019-14235: A recursion shouldn't be used since the exception # handling uses massive amounts of memory repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~") - path = path[: e.start] + repercent.encode() + path[e.end :] + changed_parts.append(path[: e.start] + repercent.encode()) + path = path[e.end :] else: - return path + return b"".join(changed_parts) + path def filepath_to_uri(path): diff --git a/docs/releases/3.2.21.txt b/docs/releases/3.2.21.txt index 79efc679d1..062ac66682 100644 --- a/docs/releases/3.2.21.txt +++ b/docs/releases/3.2.21.txt @@ -6,4 +6,9 @@ Django 3.2.21 release notes Django 3.2.21 fixes a security issue with severity "moderate" in 3.2.20. -... +CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` +=================================================================================================== + +``django.utils.encoding.uri_to_iri()`` was subject to potential denial of +service attack via certain inputs with a very large number of Unicode +characters. diff --git a/docs/releases/4.1.11.txt b/docs/releases/4.1.11.txt index efb6c14071..34734603c8 100644 --- a/docs/releases/4.1.11.txt +++ b/docs/releases/4.1.11.txt @@ -6,4 +6,9 @@ Django 4.1.11 release notes Django 4.1.11 fixes a security issue with severity "moderate" in 4.1.10. -... +CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` +=================================================================================================== + +``django.utils.encoding.uri_to_iri()`` was subject to potential denial of +service attack via certain inputs with a very large number of Unicode +characters. diff --git a/docs/releases/4.2.5.txt b/docs/releases/4.2.5.txt index d88ece91e6..21e04fbb97 100644 --- a/docs/releases/4.2.5.txt +++ b/docs/releases/4.2.5.txt @@ -7,6 +7,13 @@ Django 4.2.5 release notes Django 4.2.5 fixes a security issue with severity "moderate" and several bugs in 4.2.4. +CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` +=================================================================================================== + +``django.utils.encoding.uri_to_iri()`` was subject to potential denial of +service attack via certain inputs with a very large number of Unicode +characters. + Bugfixes ======== diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py index 6dea260b84..2b52b1607c 100644 --- a/tests/utils_tests/test_encoding.py +++ b/tests/utils_tests/test_encoding.py @@ -1,9 +1,10 @@ import datetime +import inspect import sys import unittest from pathlib import Path from unittest import mock -from urllib.parse import quote_plus +from urllib.parse import quote, quote_plus from django.test import SimpleTestCase from django.utils.encoding import ( @@ -120,6 +121,24 @@ class TestEncodingUtils(SimpleTestCase): except RecursionError: self.fail("Unexpected RecursionError raised.") + def test_repercent_broken_unicode_small_fragments(self): + data = b"test\xfctest\xfctest\xfc" + decoded_paths = [] + + def mock_quote(*args, **kwargs): + # The second frame is the call to repercent_broken_unicode(). + decoded_paths.append(inspect.currentframe().f_back.f_locals["path"]) + return quote(*args, **kwargs) + + with mock.patch("django.utils.encoding.quote", mock_quote): + self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC") + + # decode() is called on smaller fragment of the path each time. + self.assertEqual( + decoded_paths, + [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"], + ) + class TestRFC3987IEncodingUtils(unittest.TestCase): def test_filepath_to_uri(self):