Fix CVE-2025-32873
This commit is contained in:
starlet-dx
parent
e3a505e06f
commit
2a889bf441
85
CVE-2025-32873.patch
Normal file
85
CVE-2025-32873.patch
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
||||||
|
Date: Tue, 8 Apr 2025 16:30:17 +0200
|
||||||
|
Subject: [PATCH] [4.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in
|
||||||
|
strip_tags().
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
|
||||||
|
Howard for the reviews.
|
||||||
|
|
||||||
|
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
||||||
|
|
||||||
|
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
|
||||||
|
|
||||||
|
Origin: https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c
|
||||||
|
---
|
||||||
|
django/utils/html.py | 6 ++++++
|
||||||
|
tests/utils_tests/test_html.py | 15 ++++++++++++++-
|
||||||
|
2 files changed, 20 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/django/utils/html.py b/django/utils/html.py
|
||||||
|
index a8d23ce..c06f7ee 100644
|
||||||
|
--- a/django/utils/html.py
|
||||||
|
+++ b/django/utils/html.py
|
||||||
|
@@ -37,6 +37,9 @@ _html_escapes = {
|
||||||
|
MAX_URL_LENGTH = 2048
|
||||||
|
MAX_STRIP_TAGS_DEPTH = 50
|
||||||
|
|
||||||
|
+# HTML tag that opens but has no closing ">" after 1k+ chars.
|
||||||
|
+long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}")
|
||||||
|
+
|
||||||
|
|
||||||
|
@keep_lazy(str, SafeText)
|
||||||
|
def escape(text):
|
||||||
|
@@ -188,6 +191,9 @@ def _strip_once(value):
|
||||||
|
def strip_tags(value):
|
||||||
|
"""Return the given HTML with all tags stripped."""
|
||||||
|
value = str(value)
|
||||||
|
+ for long_open_tag in long_open_tag_without_closing_re.finditer(value):
|
||||||
|
+ if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH:
|
||||||
|
+ raise SuspiciousOperation
|
||||||
|
# Note: in typical case this loop executes _strip_once twice (the second
|
||||||
|
# execution does not remove any more tags).
|
||||||
|
strip_tags_depth = 0
|
||||||
|
diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py
|
||||||
|
index 625511e..2247283 100644
|
||||||
|
--- a/tests/utils_tests/test_html.py
|
||||||
|
+++ b/tests/utils_tests/test_html.py
|
||||||
|
@@ -92,17 +92,30 @@ class TestUtilsHtml(SimpleTestCase):
|
||||||
|
('><!' + ('&' * 16000) + 'D', '><!' + ('&' * 16000) + 'D'),
|
||||||
|
('X<<<<br>br>br>br>X', 'XX'),
|
||||||
|
("<" * 50 + "a>" * 50, ""),
|
||||||
|
+ (">" + "<a" * 500 + "a", ">" + "<a" * 500 + "a"),
|
||||||
|
+ ("<a" * 49 + "a" * 951, "<a" * 49 + "a" * 951),
|
||||||
|
+ ("<" + "a" * 1_002, "<" + "a" * 1_002),
|
||||||
|
)
|
||||||
|
for value, output in items:
|
||||||
|
with self.subTest(value=value, output=output):
|
||||||
|
self.check_output(strip_tags, value, output)
|
||||||
|
self.check_output(strip_tags, lazystr(value), output)
|
||||||
|
|
||||||
|
- def test_strip_tags_suspicious_operation(self):
|
||||||
|
+ def test_strip_tags_suspicious_operation_max_depth(self):
|
||||||
|
value = "<" * 51 + "a>" * 51, "<a>"
|
||||||
|
with self.assertRaises(SuspiciousOperation):
|
||||||
|
strip_tags(value)
|
||||||
|
|
||||||
|
+ def test_strip_tags_suspicious_operation_large_open_tags(self):
|
||||||
|
+ items = [
|
||||||
|
+ ">" + "<a" * 501,
|
||||||
|
+ "<a" * 50 + "a" * 950,
|
||||||
|
+ ]
|
||||||
|
+ for value in items:
|
||||||
|
+ with self.subTest(value=value):
|
||||||
|
+ with self.assertRaises(SuspiciousOperation):
|
||||||
|
+ strip_tags(value)
|
||||||
|
+
|
||||||
|
def test_strip_tags_files(self):
|
||||||
|
# Test with more lengthy content (also catching performance regressions)
|
||||||
|
for filename in ('strip_tags1.html', 'strip_tags2.txt'):
|
||||||
|
--
|
||||||
|
2.49.0
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
%global _empty_manifest_terminate_build 0
|
%global _empty_manifest_terminate_build 0
|
||||||
Name: python-django
|
Name: python-django
|
||||||
Version: 2.2.27
|
Version: 2.2.27
|
||||||
Release: 15
|
Release: 16
|
||||||
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
|
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
|
||||||
License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
|
License: Apache-2.0 and Python-2.0 and OFL-1.1 and MIT
|
||||||
URL: https://www.djangoproject.com/
|
URL: https://www.djangoproject.com/
|
||||||
@ -39,6 +39,7 @@ Patch20: CVE-2024-45231.patch
|
|||||||
Patch21: CVE-2024-53907.patch
|
Patch21: CVE-2024-53907.patch
|
||||||
Patch22: CVE-2024-56374.patch
|
Patch22: CVE-2024-56374.patch
|
||||||
Patch23: CVE-2025-26699.patch
|
Patch23: CVE-2025-26699.patch
|
||||||
|
Patch24: CVE-2025-32873.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
%description
|
%description
|
||||||
@ -105,6 +106,9 @@ mv %{buildroot}/doclist.lst .
|
|||||||
%{_docdir}/*
|
%{_docdir}/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 09 2025 yaoxin <1024769339@qq.com> - 2.2.27-16
|
||||||
|
- Fix CVE-2025-32873
|
||||||
|
|
||||||
* Wed Mar 12 2025 changtao <changtao@kylinos.cn> - 2.2.27-15
|
* Wed Mar 12 2025 changtao <changtao@kylinos.cn> - 2.2.27-15
|
||||||
- Type:CVE
|
- Type:CVE
|
||||||
- CVE:CVE-2025-26699
|
- CVE:CVE-2025-26699
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user