This patch is only for python3-django_3.2.25. The URL validator didn't detect invalid IPv6 addresses, treating them as correct ones, making a testcase fail. (Also, according to the comment, it could also crash in some cases, though I haven't encountered that)
This backported patch mitigates this behavior. Signed-off-by: Gyorgy Sarvari <[email protected]> --- ...d-URLValidator-crash-in-some-edge-ca.patch | 56 +++++++++++++++++++ .../python/python3-django_3.2.25.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch diff --git a/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch b/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch new file mode 100644 index 0000000000..24ed73e9b5 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django-3.2.25/0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch @@ -0,0 +1,56 @@ +From 065b10e2757af671f3e64f0c8714e6f2e4eca727 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Wed, 15 Dec 2021 11:55:19 -0300 +Subject: [PATCH] Fixed #33367 -- Fixed URLValidator crash in some edge cases. + +From: mendespedro <[email protected]> + +Upstream-Status: Backport [https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + django/core/validators.py | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/django/core/validators.py b/django/core/validators.py +index 94cc3bf..03cd9b8 100644 +--- a/django/core/validators.py ++++ b/django/core/validators.py +@@ -111,15 +111,16 @@ class URLValidator(RegexValidator): + raise ValidationError(self.message, code=self.code, params={'value': value}) + + # Then check full URL ++ try: ++ splitted_url = urlsplit(value) ++ except ValueError: ++ raise ValidationError(self.message, code=self.code, params={'value': value}) + try: + super().__call__(value) + except ValidationError as e: + # Trivial case failed. Try for possible IDN domain + if value: +- try: +- scheme, netloc, path, query, fragment = urlsplit(value) +- except ValueError: # for example, "Invalid IPv6 URL" +- raise ValidationError(self.message, code=self.code, params={'value': value}) ++ scheme, netloc, path, query, fragment = splitted_url + try: + netloc = punycode(netloc) # IDN -> ACE + except UnicodeError: # invalid domain part +@@ -130,7 +131,7 @@ class URLValidator(RegexValidator): + raise + else: + # Now verify IPv6 in the netloc part +- host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc) ++ host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc) + if host_match: + potential_ip = host_match[1] + try: +@@ -142,7 +143,7 @@ class URLValidator(RegexValidator): + # section 3.1. It's defined to be 255 bytes or less, but this includes + # one byte for the length of the name and one byte for the trailing dot + # that's used to indicate absolute names in DNS. +- if len(urlsplit(value).hostname) > 253: ++ if splitted_url.hostname is None or len(splitted_url.hostname) > 253: + raise ValidationError(self.message, code=self.code, params={'value': value}) + + diff --git a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb index 68b60a784e..15ee178115 100644 --- a/meta-python/recipes-devtools/python/python3-django_3.2.25.bb +++ b/meta-python/recipes-devtools/python/python3-django_3.2.25.bb @@ -15,6 +15,7 @@ SRC_URI += "\ file://CVE-2024-41991.patch \ file://CVE-2024-53907.patch \ file://CVE-2025-32873.patch \ + file://0001-Fixed-33367-Fixed-URLValidator-crash-in-some-edge-ca.patch \ " # Set DEFAULT_PREFERENCE so that the LTS version of django is built by
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123504): https://lists.openembedded.org/g/openembedded-devel/message/123504 Mute This Topic: https://lists.openembedded.org/mt/117277955/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
