mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-03-16 15:29:37 +01:00
07810b11ef
Upstream Repository: https://github.com/django/django.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2025-26699 Type: Security Fix CVE: CVE-2025-26699 Score: 7.5 Patch: https://github.com/django/django/commit/e88f7376fe68 Signed-off-by: Anil Dongare <adongare@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
101 lines
3.5 KiB
Diff
101 lines
3.5 KiB
Diff
From 5fd7c868791b635ef20d2991cc028516b9021dd4 Mon Sep 17 00:00:00 2001
|
|
From: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
Date: Tue, 25 Feb 2025 09:40:54 +0100
|
|
Subject: [PATCH] [5.0.x] Fixed CVE-2025-26699 -- Mitigated potential DoS in
|
|
wordwrap template filter.
|
|
|
|
Thanks sw0rd1ight for the report.
|
|
|
|
Backport of 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b from main.
|
|
|
|
CVE: CVE-2025-26699
|
|
Upstream-Status: Backport [https://github.com/django/django/commit/e88f7376fe68]
|
|
|
|
Backport Changes:
|
|
- The fix has been adapted from the upstream Django v4.2.20 patch for
|
|
CVE-2025-26699, applied to the python3-django_5.0.11.bb recipe.
|
|
|
|
- The upstream patch includes changes to a 4.2.20.txt release-note file.
|
|
This file does not exist in the Django 5.0.11 source tree, so it was
|
|
intentionally omitted from this backport.
|
|
|
|
- Only the relevant code changes from the upstream patch were applied.
|
|
No functional differences exist in the vulnerable logic between
|
|
Django 4.2.x and 5.0.x.
|
|
|
|
(cherry picked from commit e88f7376fe68dbf4ebaf11fad1513ce700b45860)
|
|
Signed-off-by: Anil Dongare <adongare@cisco.com>
|
|
---
|
|
django/utils/text.py | 28 +++++++------------
|
|
.../filter_tests/test_wordwrap.py | 11 ++++++++
|
|
2 files changed, 21 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/django/utils/text.py b/django/utils/text.py
|
|
index d992f80dd2..36ab6a9efc 100644
|
|
--- a/django/utils/text.py
|
|
+++ b/django/utils/text.py
|
|
@@ -1,6 +1,7 @@
|
|
import gzip
|
|
import re
|
|
import secrets
|
|
+import textwrap
|
|
import unicodedata
|
|
from gzip import GzipFile
|
|
from gzip import compress as gzip_compress
|
|
@@ -97,24 +98,15 @@ def wrap(text, width):
|
|
``width``.
|
|
"""
|
|
|
|
- def _generator():
|
|
- for line in text.splitlines(True): # True keeps trailing linebreaks
|
|
- max_width = min((line.endswith("\n") and width + 1 or width), width)
|
|
- while len(line) > max_width:
|
|
- space = line[: max_width + 1].rfind(" ") + 1
|
|
- if space == 0:
|
|
- space = line.find(" ") + 1
|
|
- if space == 0:
|
|
- yield line
|
|
- line = ""
|
|
- break
|
|
- yield "%s\n" % line[: space - 1]
|
|
- line = line[space:]
|
|
- max_width = min((line.endswith("\n") and width + 1 or width), width)
|
|
- if line:
|
|
- yield line
|
|
-
|
|
- return "".join(_generator())
|
|
+ wrapper = textwrap.TextWrapper(
|
|
+ width=width,
|
|
+ break_long_words=False,
|
|
+ break_on_hyphens=False,
|
|
+ )
|
|
+ result = []
|
|
+ for line in text.splitlines(True):
|
|
+ result.extend(wrapper.wrap(line))
|
|
+ return "\n".join(result)
|
|
|
|
|
|
def add_truncation_text(text, truncate=None):
|
|
diff --git a/tests/template_tests/filter_tests/test_wordwrap.py b/tests/template_tests/filter_tests/test_wordwrap.py
|
|
index 88fbd274da..4afa1dd234 100644
|
|
--- a/tests/template_tests/filter_tests/test_wordwrap.py
|
|
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
|
|
@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase):
|
|
"this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
|
|
"I'm afraid",
|
|
)
|
|
+
|
|
+ def test_wrap_long_text(self):
|
|
+ long_text = (
|
|
+ "this is a long paragraph of text that really needs"
|
|
+ " to be wrapped I'm afraid " * 20_000
|
|
+ )
|
|
+ self.assertIn(
|
|
+ "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
|
|
+ "I'm afraid",
|
|
+ wordwrap(long_text, 10),
|
|
+ )
|
|
--
|
|
2.43.5
|
|
|