This change is for python3-django_2.2.28. The patch was accidentally backported incorrectly. The patch in general introduces a field-length restrictrion on the email input fields, however the patch was backported in a way that the restriction was applied on file input fields instead of email fields.
This change amends the patch in a way to restrict the email field. Signed-off-by: Gyorgy Sarvari <[email protected]> --- v1: https://lists.openembedded.org/g/openembedded-devel/message/123448 v2: instead of changing the existing CVE-2023-36053.patch file, just introduce a new patch for the ease of readability. The actual code change remains unchanged between the patches. .../0001-Fix-patch-for-CVE-2023-36053.patch | 43 +++++++++++++++++++ .../python/python3-django_2.2.28.bb | 1 + 2 files changed, 44 insertions(+) create mode 100644 meta-python/recipes-devtools/python/python3-django/0001-Fix-patch-for-CVE-2023-36053.patch diff --git a/meta-python/recipes-devtools/python/python3-django/0001-Fix-patch-for-CVE-2023-36053.patch b/meta-python/recipes-devtools/python/python3-django/0001-Fix-patch-for-CVE-2023-36053.patch new file mode 100644 index 0000000000..48805df9cd --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/0001-Fix-patch-for-CVE-2023-36053.patch @@ -0,0 +1,43 @@ +From 85fd44420b007be726b502e3be58f56b0e44cc08 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari <[email protected]> +Date: Thu, 15 Jan 2026 13:36:01 +0100 +Subject: [PATCH] Fix patch for CVE-2023-36053 + +The patch was accidentally backported incorrectly. The patch in general +introduces a field-length restrictrion on the email input fields, however +the patch was backported in a way that the restriction was applied on +file input fields instead of email fields. + +This change amends the patch in a way to restrict the email field. + +CVE: CVE-2023-36053 +Upstream-Status: Inappropriate [Backport specific] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + django/forms/fields.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/django/forms/fields.py b/django/forms/fields.py +index b3156b9..bbb135f 100644 +--- a/django/forms/fields.py ++++ b/django/forms/fields.py +@@ -523,6 +523,9 @@ class EmailField(CharField): + default_validators = [validators.validate_email] + + def __init__(self, **kwargs): ++ # The default maximum length of an email is 320 characters per RFC 3696 ++ # section 3. ++ kwargs.setdefault("max_length", 320) + super().__init__(strip=True, **kwargs) + + +@@ -542,9 +545,6 @@ class FileField(Field): + def __init__(self, *, max_length=None, allow_empty_file=False, **kwargs): + self.max_length = max_length + self.allow_empty_file = allow_empty_file +- # The default maximum length of an email is 320 characters per RFC 3696 +- # section 3. +- kwargs.setdefault("max_length", 320) + super().__init__(**kwargs) + + def to_python(self, data): diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb index dedb2498cb..7735898ca5 100644 --- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb +++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb @@ -44,6 +44,7 @@ SRC_URI += "file://CVE-2023-31047.patch \ file://0001-Fixed-test_utils.tests.HTMLEqualTests.test_parsing_e.patch \ file://0001-Made-RemoteTestResultTest.test_pickle_errors_detecti.patch \ file://0001-fix-quote-type-in-expected-error-message.patch \ + file://0001-Fix-patch-for-CVE-2023-36053.patch \ " SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#123506): https://lists.openembedded.org/g/openembedded-devel/message/123506 Mute This Topic: https://lists.openembedded.org/mt/117278151/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
