File fix-cve-2023-23969.patch of Package python-Django.34904
From a50424dfa50899f3278d615b1c2a0c951df24701 Mon Sep 17 00:00:00 2001
From: Nick Pope <nick@nickpope.me.uk>
Date: Wed, 25 Jan 2023 12:21:48 +0100
Subject: [PATCH] [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with
pathological values for Accept-Language.
The parsed values of Accept-Language headers are cached in order to
avoid repetitive parsing. This leads to a potential denial-of-service
vector via excessive memory usage if the raw value of Accept-Language
headers is very large.
Accept-Language headers are now limited to a maximum length in order
to avoid this issue.
---
django/utils/translation/trans_real.py | 35 ++++++++++-
tests/i18n/tests.py | 87 ++++++++++++++------------
2 files changed, 81 insertions(+), 41 deletions(-)
Index: Django-2.0.7/django/utils/translation/trans_real.py
===================================================================
--- Django-2.0.7.orig/django/utils/translation/trans_real.py
+++ Django-2.0.7/django/utils/translation/trans_real.py
@@ -28,6 +28,11 @@ _default = None
# magic gettext number to separate context from message
CONTEXT_SEPARATOR = "\x04"
+# Maximum number of characters that will be parsed from the Accept-Language
+# header to prevent possible denial of service or memory exhaustion attacks.
+# About 10x longer than the longest value shown on MDN’s Accept-Language page.
+ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
+
# Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
# and RFC 3066, section 2.1
accept_language_re = re.compile(r'''
@@ -509,7 +514,8 @@ def get_language_from_request(request, c
return settings.LANGUAGE_CODE
-def parse_accept_lang_header(lang_string):
+@functools.lru_cache(maxsize=1000)
+def _parse_accept_lang_header(lang_string):
"""
Parse the lang_string, which is the body of an HTTP Accept-Language
header, and return a list of (lang, q-value), ordered by 'q' values.
@@ -530,4 +536,29 @@ def parse_accept_lang_header(lang_string
priority = 1.0
result.append((lang, priority))
result.sort(key=lambda k: k[1], reverse=True)
- return result
+ return tuple(result)
+
+
+def parse_accept_lang_header(lang_string):
+ """
+ Parse the value of the Accept-Language header up to a maximum length.
+
+ The value of the header is truncated to a maximum length to avoid potential
+ denial of service and memory exhaustion attacks. Excessive memory could be
+ used if the raw value is very large as it would be cached due to the use of
+ functools.lru_cache() to avoid repetitive parsing of common header values.
+ """
+ # If the header value doesn't exceed the maximum allowed length, parse it.
+ if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
+ return _parse_accept_lang_header(lang_string)
+
+ # If there is at least one comma in the value, parse up to the last comma
+ # before the max length, skipping any truncated parts at the end of the
+ # header value.
+ index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)
+ if index > 0:
+ return _parse_accept_lang_header(lang_string[:index])
+
+ # Don't attempt to parse if there is only one language-range value which is
+ # longer than the maximum allowed length and so truncated.
+ return ()
Index: Django-2.0.7/tests/i18n/tests.py
===================================================================
--- Django-2.0.7.orig/tests/i18n/tests.py
+++ Django-2.0.7/tests/i18n/tests.py
@@ -1136,45 +1136,54 @@ class MiscTests(SimpleTestCase):
values according to the spec (and that we extract all the pieces in
the right order).
"""
- p = trans_real.parse_accept_lang_header
- # Good headers.
- self.assertEqual([('de', 1.0)], p('de'))
- self.assertEqual([('en-au', 1.0)], p('en-AU'))
- self.assertEqual([('es-419', 1.0)], p('es-419'))
- self.assertEqual([('*', 1.0)], p('*;q=1.00'))
- self.assertEqual([('en-au', 0.123)], p('en-AU;q=0.123'))
- self.assertEqual([('en-au', 0.5)], p('en-au;q=0.5'))
- self.assertEqual([('en-au', 1.0)], p('en-au;q=1.0'))
- self.assertEqual([('da', 1.0), ('en', 0.5), ('en-gb', 0.25)], p('da, en-gb;q=0.25, en;q=0.5'))
- self.assertEqual([('en-au-xx', 1.0)], p('en-au-xx'))
- self.assertEqual(
- [('de', 1.0), ('en-au', 0.75), ('en-us', 0.5), ('en', 0.25), ('es', 0.125), ('fa', 0.125)],
- p('de,en-au;q=0.75,en-us;q=0.5,en;q=0.25,es;q=0.125,fa;q=0.125')
- )
- self.assertEqual([('*', 1.0)], p('*'))
- self.assertEqual([('de', 0.0)], p('de;q=0.'))
- self.assertEqual([('en', 1.0), ('*', 0.5)], p('en; q=1.0, * ; q=0.5'))
- self.assertEqual([('en', 1.0)], p('en; q=1,'))
- self.assertEqual([], p(''))
-
- # Bad headers; should always return [].
- self.assertEqual([], p('en-gb;q=1.0000'))
- self.assertEqual([], p('en;q=0.1234'))
- self.assertEqual([], p('en;q=.2'))
- self.assertEqual([], p('abcdefghi-au'))
- self.assertEqual([], p('**'))
- self.assertEqual([], p('en,,gb'))
- self.assertEqual([], p('en-au;q=0.1.0'))
- self.assertEqual(
- [],
- p('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXZ,en')
- )
- self.assertEqual([], p('da, en-gb;q=0.8, en;q=0.7,#'))
- self.assertEqual([], p('de;q=2.0'))
- self.assertEqual([], p('de;q=0.a'))
- self.assertEqual([], p('12-345'))
- self.assertEqual([], p(''))
- self.assertEqual([], p('en;q=1e0'))
+ tests = [
+ # Good headers
+ ('de', [('de', 1.0)]),
+ ('en-AU', [('en-au', 1.0)]),
+ ('es-419', [('es-419', 1.0)]),
+ ('*;q=1.00', [('*', 1.0)]),
+ ('en-AU;q=0.123', [('en-au', 0.123)]),
+ ('en-au;q=0.5', [('en-au', 0.5)]),
+ ('en-au;q=1.0', [('en-au', 1.0)]),
+ ('da, en-gb;q=0.25, en;q=0.5', [('da', 1.0), ('en', 0.5), ('en-gb', 0.25)]),
+ ('en-au-xx', [('en-au-xx', 1.0)]),
+ ('de,en-au;q=0.75,en-us;q=0.5,en;q=0.25,es;q=0.125,fa;q=0.125',
+ [('de', 1.0), ('en-au', 0.75), ('en-us', 0.5), ('en', 0.25), ('es', 0.125), ('fa', 0.125)]),
+ ('*', [('*', 1.0)]),
+ ('de;q=0.', [('de', 0.0)]),
+ ('en; q=1,', [('en', 1.0)]),
+ ('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]),
+ (
+ 'en' + '-x' * 20,
+ [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)],
+ ),
+ (
+ ', '.join(['en; q=1.0'] * 20),
+ [('en', 1.0)] * 20,
+ ),
+ # Bad headers
+ ('en-gb;q=1.0000', []),
+ ('en;q=0.1234', []),
+ ('en;q=.2', []),
+ ('abcdefghi-au', []),
+ ('**', []),
+ ('en,,gb', []),
+ ('en-au;q=0.1.0', []),
+ (('X' * 97) + 'Z,en', []),
+ ('da, en-gb;q=0.8, en;q=0.7,#', []),
+ ('de;q=2.0', []),
+ ('de;q=0.a', []),
+ ('12-345', []),
+ ('', []),
+ ('en;q=1e0', []),
+ # Invalid as language-range value too long.
+ ('xxxxxxxx' + '-xxxxxxxx' * 500, []),
+ # Header value too long, only parse up to limit.
+ (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45),
+ ]
+ for value, expected in tests:
+ with self.subTest(value=value):
+ self.assertEqual(trans_real.parse_accept_lang_header(value), tuple(expected))
def test_parse_literal_http_header(self):
"""
