Overview

File fix-cve-2022-41323.patch of Package python-Django.18497

From 5b6b257fa7ec37ff27965358800c67e2dd11c924 Mon Sep 17 00:00:00 2001
From: Adam Johnson <me@adamj.eu>
Date: Fri, 2 Sep 2022 09:44:05 +0100
Subject: [PATCH] [3.2.x] Fixed CVE-2022-41323 -- Prevented locales being
 interpreted as regular expressions.

Thanks to Benjamin Balder Bach for the report.
---
 django/urls/resolvers.py     | 2 +-
 docs/releases/3.2.16.txt     | 6 +++++-
 tests/i18n/patterns/tests.py | 6 ++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

Index: Django-2.2.28/django/urls/resolvers.py
===================================================================
--- Django-2.2.28.orig/django/urls/resolvers.py
+++ Django-2.2.28/django/urls/resolvers.py
@@ -289,7 +289,7 @@ class LocalePrefixPattern:
     @property
     def regex(self):
         # This is only used by reverse() and cached in _reverse_dict.
-        return re.compile(self.language_prefix)
+        return re.compile(re.escape(self.language_prefix))
 
     @property
     def language_prefix(self):
Index: Django-2.2.28/tests/i18n/patterns/tests.py
===================================================================
--- Django-2.2.28.orig/tests/i18n/patterns/tests.py
+++ Django-2.2.28/tests/i18n/patterns/tests.py
@@ -163,6 +163,12 @@ class URLTranslationTests(URLTestCaseBas
             self.assertEqual(translate_url('/nl/gebruikers/', 'en'), '/en/users/')
             self.assertEqual(translation.get_language(), 'nl')
 
+    def test_locale_not_interepreted_as_regex(self):
+        with translation.override("e("):
+            # Would previously error:
+            # re.error: missing ), unterminated subpattern at position 1
+            reverse("users")
+
 
 class URLNamespaceTests(URLTestCaseBase):
     """
openSUSE Build Service is sponsored by
Places