mirror of
https://github.com/django/django.git
synced 2025-10-31 09:41:08 +00:00
Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large. Accept-Language headers are now limited to a maximum length in order to avoid this issue.
This commit is contained in:
Nick Pope
committed by
Mariusz Felisiak
Mariusz Felisiak
parent
110b3b8356
commit
8c660fb592
@@ -30,6 +30,11 @@ _default = None
|
||||
# magic gettext number to separate context from message
|
||||
CONTEXT_SEPARATOR = "\x04"
|
||||
|
||||
# Maximum number of characters that will be parsed from the Accept-Language
|
||||
# header to prevent possible denial of service or memory exhaustion attacks.
|
||||
# About 10x longer than the longest value shown on MDN’s Accept-Language page.
|
||||
ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
|
||||
|
||||
# Format of Accept-Language header values. From RFC 9110 Sections 12.4.2 and
|
||||
# 12.5.4, and RFC 5646 Section 2.1.
|
||||
accept_language_re = _lazy_re_compile(
|
||||
@@ -582,7 +587,7 @@ def get_language_from_request(request, check_path=False):
|
||||
|
||||
|
||||
@functools.lru_cache(maxsize=1000)
|
||||
def parse_accept_lang_header(lang_string):
|
||||
def _parse_accept_lang_header(lang_string):
|
||||
"""
|
||||
Parse the lang_string, which is the body of an HTTP Accept-Language
|
||||
header, and return a tuple of (lang, q-value), ordered by 'q' values.
|
||||
@@ -604,3 +609,27 @@ def parse_accept_lang_header(lang_string):
|
||||
result.append((lang, priority))
|
||||
result.sort(key=lambda k: k[1], reverse=True)
|
||||
return tuple(result)
|
||||
|
||||
|
||||
def parse_accept_lang_header(lang_string):
|
||||
"""
|
||||
Parse the value of the Accept-Language header up to a maximum length.
|
||||
|
||||
The value of the header is truncated to a maximum length to avoid potential
|
||||
denial of service and memory exhaustion attacks. Excessive memory could be
|
||||
used if the raw value is very large as it would be cached due to the use of
|
||||
functools.lru_cache() to avoid repetitive parsing of common header values.
|
||||
"""
|
||||
# If the header value doesn't exceed the maximum allowed length, parse it.
|
||||
if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
|
||||
return _parse_accept_lang_header(lang_string)
|
||||
|
||||
# If there is at least one comma in the value, parse up to the last comma
|
||||
# before the max length, skipping any truncated parts at the end of the
|
||||
# header value.
|
||||
if (index := lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)) > 0:
|
||||
return _parse_accept_lang_header(lang_string[:index])
|
||||
|
||||
# Don't attempt to parse if there is only one language-range value which is
|
||||
# longer than the maximum allowed length and so truncated.
|
||||
return ()
|
||||
|
||||
Reference in New Issue
Block a user