Skip to content

Commit

Permalink
[4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.e…
Browse files Browse the repository at this point in the history
…ncoding.uri_to_iri().

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
  • Loading branch information
felixxm and nessita committed Sep 4, 2023
1 parent acfb427 commit 9c51b4d
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 5 deletions.
6 changes: 4 additions & 2 deletions django/utils/encoding.py
Original file line number Diff line number Diff line change
Expand Up @@ -219,16 +219,18 @@ def repercent_broken_unicode(path):
repercent-encode any octet produced that is not part of a strictly legal
UTF-8 octet sequence.
"""
changed_parts = []
while True:
try:
path.decode()
except UnicodeDecodeError as e:
# CVE-2019-14235: A recursion shouldn't be used since the exception
# handling uses massive amounts of memory
repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
path = path[: e.start] + repercent.encode() + path[e.end :]
changed_parts.append(path[: e.start] + repercent.encode())
path = path[e.end :]
else:
return path
return b"".join(changed_parts) + path


def filepath_to_uri(path):
Expand Down
7 changes: 6 additions & 1 deletion docs/releases/3.2.21.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,9 @@ Django 3.2.21 release notes

Django 3.2.21 fixes a security issue with severity "moderate" in 3.2.20.

...
CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
===================================================================================================

``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
service attack via certain inputs with a very large number of Unicode
characters.
7 changes: 6 additions & 1 deletion docs/releases/4.1.11.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,9 @@ Django 4.1.11 release notes

Django 4.1.11 fixes a security issue with severity "moderate" in 4.1.10.

...
CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
===================================================================================================

``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
service attack via certain inputs with a very large number of Unicode
characters.
7 changes: 7 additions & 0 deletions docs/releases/4.2.5.txt
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ Django 4.2.5 release notes
Django 4.2.5 fixes a security issue with severity "moderate" and several bugs
in 4.2.4.

CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``
===================================================================================================

``django.utils.encoding.uri_to_iri()`` was subject to potential denial of
service attack via certain inputs with a very large number of Unicode
characters.

Bugfixes
========

Expand Down
21 changes: 20 additions & 1 deletion tests/utils_tests/test_encoding.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
import datetime
import inspect
import sys
import unittest
from pathlib import Path
from unittest import mock
from urllib.parse import quote_plus
from urllib.parse import quote, quote_plus

from django.test import SimpleTestCase
from django.utils.encoding import (
Expand Down Expand Up @@ -120,6 +121,24 @@ def test_repercent_broken_unicode_recursion_error(self):
except RecursionError:
self.fail("Unexpected RecursionError raised.")

def test_repercent_broken_unicode_small_fragments(self):
data = b"test\xfctest\xfctest\xfc"
decoded_paths = []

def mock_quote(*args, **kwargs):
# The second frame is the call to repercent_broken_unicode().
decoded_paths.append(inspect.currentframe().f_back.f_locals["path"])
return quote(*args, **kwargs)

with mock.patch("django.utils.encoding.quote", mock_quote):
self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC")

# decode() is called on smaller fragment of the path each time.
self.assertEqual(
decoded_paths,
[b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"],
)


class TestRFC3987IEncodingUtils(unittest.TestCase):
def test_filepath_to_uri(self):
Expand Down

0 comments on commit 9c51b4d

Please sign in to comment.