Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Cloud:OpenStack:Newton
python-Django
CVE-2019-14235-fix-memory-exhaustion.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-14235-fix-memory-exhaustion.patch of Package python-Django
commit c87c451f17e434aaeedbb186834455dc1d6af11e Author: Florian Apolloner <florian@apolloner.eu> Date: Fri, 19 Jul 2019 17:04:53 +0200 [1.8.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri(). Thanks to Guido Vranken for initial report. diff --git a/django/utils/encoding.py b/django/utils/encoding.py index 99c9da843a..7eb71a238c 100644 --- a/django/utils/encoding.py +++ b/django/utils/encoding.py @@ -250,13 +250,16 @@ def repercent_broken_unicode(path): we need to re-percent-encode any octet produced that is not part of a strictly legal UTF-8 octet sequence. """ - try: - path.decode('utf-8') - except UnicodeDecodeError as e: - repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") - path = repercent_broken_unicode( - path[:e.start] + force_bytes(repercent) + path[e.end:]) - return path + while True: + try: + path.decode('utf-8') + except UnicodeDecodeError as e: + # CVE-2019-14235: A recursion shouldn't be used since the exception + # handling uses massive amounts of memory + repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") + path = path[:e.start] + force_bytes(repercent) + path[e.end:] + else: + return path def filepath_to_uri(path): diff --git a/docs/releases/1.8.19.txt b/docs/releases/1.8.19.txt index cfd55be205..0adcf29aab 100644 --- a/docs/releases/1.8.19.txt +++ b/docs/releases/1.8.19.txt @@ -68,3 +68,13 @@ CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONFie <hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField` were subject to SQL injection, using a suitably crafted dictionary, with dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``. + +CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()`` +===================================================================================== + +If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead +to significant memory usage due to excessive recursion when re-percent-encoding +invalid UTF-8 octet sequences. + +``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8 +octet sequences. diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py index e581003d9a..896d04d929 100644 --- a/tests/utils_tests/test_encoding.py +++ b/tests/utils_tests/test_encoding.py @@ -2,12 +2,13 @@ from __future__ import unicode_literals import datetime +import sys import unittest from django.utils import six from django.utils.encoding import ( escape_uri_path, filepath_to_uri, force_bytes, force_text, iri_to_uri, - uri_to_iri, + repercent_broken_unicode, uri_to_iri, ) from django.utils.http import urlquote_plus @@ -50,6 +51,15 @@ class TestEncodingUtils(unittest.TestCase): self.assertEqual(escape_uri_path('/foo#bar'), '/foo%23bar') self.assertEqual(escape_uri_path('/foo?bar'), '/foo%3Fbar') + def test_repercent_broken_unicode_recursion_error(self): + # Prepare a string long enough to force a recursion error if the tested + # function uses recursion. + data = b'\xfc' * sys.getrecursionlimit() + try: + self.assertEqual(repercent_broken_unicode(data), b'%FC' * sys.getrecursionlimit()) + except RecursionError: + self.fail('Unexpected RecursionError raised.') + class TestRFC3987IEncodingUtils(unittest.TestCase):
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor