diff options
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-django')
7 files changed, 1141 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-31047.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-31047.patch new file mode 100644 index 0000000000..ab29a2ed97 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-31047.patch @@ -0,0 +1,352 @@ +From fd3215dec5d50aa1f09cb1f8eba193524e7379f3 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak <felisiak.mariusz@gmail.com> +Date: Thu, 25 May 2023 14:49:15 +0000 +Subject: [PATCH] Fixed CVE-2023-31047, Fixed #31710 + +-- Prevented potential bypass of validation when uploading multiple files using one form field. + +Thanks Moataz Al-Sharida and nawaik for reports. + +Co-authored-by: Shai Berger <shai@platonix.com> +Co-authored-by: nessita <124304+nessita@users.noreply.github.com> + +CVE: CVE-2023-31047 + +Upstream-Status: Backport [https://github.com/django/django/commit/fb4c55d9ec4bb812a7fb91fa20510d91645e411b] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + django/forms/widgets.py | 26 ++++++- + docs/releases/2.2.28.txt | 18 +++++ + docs/topics/http/file-uploads.txt | 65 ++++++++++++++++-- + .../forms_tests/field_tests/test_filefield.py | 68 ++++++++++++++++++- + .../widget_tests/test_clearablefileinput.py | 5 ++ + .../widget_tests/test_fileinput.py | 44 ++++++++++++ + 6 files changed, 218 insertions(+), 8 deletions(-) + +diff --git a/django/forms/widgets.py b/django/forms/widgets.py +index e37036c..d0cc131 100644 +--- a/django/forms/widgets.py ++++ b/django/forms/widgets.py +@@ -372,17 +372,41 @@ class MultipleHiddenInput(HiddenInput): + + + class FileInput(Input): ++ allow_multiple_selected = False + input_type = 'file' + needs_multipart_form = True + template_name = 'django/forms/widgets/file.html' + ++ def __init__(self, attrs=None): ++ if ( ++ attrs is not None ++ and not self.allow_multiple_selected ++ and attrs.get("multiple", False) ++ ): ++ raise ValueError( ++ "%s doesn't support uploading multiple files." ++ % self.__class__.__qualname__ ++ ) ++ if self.allow_multiple_selected: ++ if attrs is None: ++ attrs = {"multiple": True} ++ else: ++ attrs.setdefault("multiple", True) ++ super().__init__(attrs) ++ + def format_value(self, value): + """File input never renders a value.""" + return + + def value_from_datadict(self, data, files, name): + "File widgets take data from FILES, not POST" +- return files.get(name) ++ getter = files.get ++ if self.allow_multiple_selected: ++ try: ++ getter = files.getlist ++ except AttributeError: ++ pass ++ return getter(name) + + def value_omitted_from_data(self, data, files, name): + return name not in files +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index 43270fc..854c6b0 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -20,3 +20,21 @@ CVE-2022-28347: Potential SQL injection via ``QuerySet.explain(**options)`` on P + :meth:`.QuerySet.explain` method was subject to SQL injection in option names, + using a suitably crafted dictionary, with dictionary expansion, as the + ``**options`` argument. ++ ++Backporting the CVE-2023-31047 fix on Django 2.2.28. ++ ++CVE-2023-31047: Potential bypass of validation when uploading multiple files using one form field ++================================================================================================= ++ ++Uploading multiple files using one form field has never been supported by ++:class:`.forms.FileField` or :class:`.forms.ImageField` as only the last ++uploaded file was validated. Unfortunately, :ref:`uploading_multiple_files` ++topic suggested otherwise. ++ ++In order to avoid the vulnerability, :class:`~django.forms.ClearableFileInput` ++and :class:`~django.forms.FileInput` form widgets now raise ``ValueError`` when ++the ``multiple`` HTML attribute is set on them. To prevent the exception and ++keep the old behavior, set ``allow_multiple_selected`` to ``True``. ++ ++For more details on using the new attribute and handling of multiple files ++through a single field, see :ref:`uploading_multiple_files`. +diff --git a/docs/topics/http/file-uploads.txt b/docs/topics/http/file-uploads.txt +index 21a6f06..c1ffb80 100644 +--- a/docs/topics/http/file-uploads.txt ++++ b/docs/topics/http/file-uploads.txt +@@ -127,19 +127,54 @@ field in the model:: + form = UploadFileForm() + return render(request, 'upload.html', {'form': form}) + ++.. _uploading_multiple_files: ++ + Uploading multiple files + ------------------------ + +-If you want to upload multiple files using one form field, set the ``multiple`` +-HTML attribute of field's widget: ++.. ++ Tests in tests.forms_tests.field_tests.test_filefield.MultipleFileFieldTest ++ should be updated after any changes in the following snippets. ++ ++If you want to upload multiple files using one form field, create a subclass ++of the field's widget and set the ``allow_multiple_selected`` attribute on it ++to ``True``. ++ ++In order for such files to be all validated by your form (and have the value of ++the field include them all), you will also have to subclass ``FileField``. See ++below for an example. ++ ++.. admonition:: Multiple file field ++ ++ Django is likely to have a proper multiple file field support at some point ++ in the future. + + .. code-block:: python + :caption: forms.py + + from django import forms + ++ ++ class MultipleFileInput(forms.ClearableFileInput): ++ allow_multiple_selected = True ++ ++ ++ class MultipleFileField(forms.FileField): ++ def __init__(self, *args, **kwargs): ++ kwargs.setdefault("widget", MultipleFileInput()) ++ super().__init__(*args, **kwargs) ++ ++ def clean(self, data, initial=None): ++ single_file_clean = super().clean ++ if isinstance(data, (list, tuple)): ++ result = [single_file_clean(d, initial) for d in data] ++ else: ++ result = single_file_clean(data, initial) ++ return result ++ ++ + class FileFieldForm(forms.Form): +- file_field = forms.FileField(widget=forms.ClearableFileInput(attrs={'multiple': True})) ++ file_field = MultipleFileField() + + Then override the ``post`` method of your + :class:`~django.views.generic.edit.FormView` subclass to handle multiple file +@@ -159,14 +194,32 @@ uploads: + def post(self, request, *args, **kwargs): + form_class = self.get_form_class() + form = self.get_form(form_class) +- files = request.FILES.getlist('file_field') + if form.is_valid(): +- for f in files: +- ... # Do something with each file. + return self.form_valid(form) + else: + return self.form_invalid(form) + ++ def form_valid(self, form): ++ files = form.cleaned_data["file_field"] ++ for f in files: ++ ... # Do something with each file. ++ return super().form_valid() ++ ++.. warning:: ++ ++ This will allow you to handle multiple files at the form level only. Be ++ aware that you cannot use it to put multiple files on a single model ++ instance (in a single field), for example, even if the custom widget is used ++ with a form field related to a model ``FileField``. ++ ++.. backportedfix:: 2.2.28 ++ ++ In previous versions, there was no support for the ``allow_multiple_selected`` ++ class attribute, and users were advised to create the widget with the HTML ++ attribute ``multiple`` set through the ``attrs`` argument. However, this ++ caused validation of the form field to be applied only to the last file ++ submitted, which could have adverse security implications. ++ + Upload Handlers + =============== + +diff --git a/tests/forms_tests/field_tests/test_filefield.py b/tests/forms_tests/field_tests/test_filefield.py +index 3357444..ba559ee 100644 +--- a/tests/forms_tests/field_tests/test_filefield.py ++++ b/tests/forms_tests/field_tests/test_filefield.py +@@ -1,7 +1,8 @@ + import pickle + + from django.core.files.uploadedfile import SimpleUploadedFile +-from django.forms import FileField, ValidationError ++from django.core.validators import validate_image_file_extension ++from django.forms import FileField, FileInput, ValidationError + from django.test import SimpleTestCase + + +@@ -82,3 +83,68 @@ class FileFieldTest(SimpleTestCase): + + def test_file_picklable(self): + self.assertIsInstance(pickle.loads(pickle.dumps(FileField())), FileField) ++ ++ ++class MultipleFileInput(FileInput): ++ allow_multiple_selected = True ++ ++ ++class MultipleFileField(FileField): ++ def __init__(self, *args, **kwargs): ++ kwargs.setdefault("widget", MultipleFileInput()) ++ super().__init__(*args, **kwargs) ++ ++ def clean(self, data, initial=None): ++ single_file_clean = super().clean ++ if isinstance(data, (list, tuple)): ++ result = [single_file_clean(d, initial) for d in data] ++ else: ++ result = single_file_clean(data, initial) ++ return result ++ ++ ++class MultipleFileFieldTest(SimpleTestCase): ++ def test_file_multiple(self): ++ f = MultipleFileField() ++ files = [ ++ SimpleUploadedFile("name1", b"Content 1"), ++ SimpleUploadedFile("name2", b"Content 2"), ++ ] ++ self.assertEqual(f.clean(files), files) ++ ++ def test_file_multiple_empty(self): ++ f = MultipleFileField() ++ files = [ ++ SimpleUploadedFile("empty", b""), ++ SimpleUploadedFile("nonempty", b"Some Content"), ++ ] ++ msg = "'The submitted file is empty.'" ++ with self.assertRaisesMessage(ValidationError, msg): ++ f.clean(files) ++ with self.assertRaisesMessage(ValidationError, msg): ++ f.clean(files[::-1]) ++ ++ def test_file_multiple_validation(self): ++ f = MultipleFileField(validators=[validate_image_file_extension]) ++ ++ good_files = [ ++ SimpleUploadedFile("image1.jpg", b"fake JPEG"), ++ SimpleUploadedFile("image2.png", b"faux image"), ++ SimpleUploadedFile("image3.bmp", b"fraudulent bitmap"), ++ ] ++ self.assertEqual(f.clean(good_files), good_files) ++ ++ evil_files = [ ++ SimpleUploadedFile("image1.sh", b"#!/bin/bash -c 'echo pwned!'\n"), ++ SimpleUploadedFile("image2.png", b"faux image"), ++ SimpleUploadedFile("image3.jpg", b"fake JPEG"), ++ ] ++ ++ evil_rotations = ( ++ evil_files[i:] + evil_files[:i] # Rotate by i. ++ for i in range(len(evil_files)) ++ ) ++ msg = "File extension “sh” is not allowed. Allowed extensions are: " ++ for rotated_evil_files in evil_rotations: ++ with self.assertRaisesMessage(ValidationError, msg): ++ f.clean(rotated_evil_files) +diff --git a/tests/forms_tests/widget_tests/test_clearablefileinput.py b/tests/forms_tests/widget_tests/test_clearablefileinput.py +index 2ba376d..8d9e38a 100644 +--- a/tests/forms_tests/widget_tests/test_clearablefileinput.py ++++ b/tests/forms_tests/widget_tests/test_clearablefileinput.py +@@ -161,3 +161,8 @@ class ClearableFileInputTest(WidgetTest): + self.assertIs(widget.value_omitted_from_data({}, {}, 'field'), True) + self.assertIs(widget.value_omitted_from_data({}, {'field': 'x'}, 'field'), False) + self.assertIs(widget.value_omitted_from_data({'field-clear': 'y'}, {}, 'field'), False) ++ ++ def test_multiple_error(self): ++ msg = "ClearableFileInput doesn't support uploading multiple files." ++ with self.assertRaisesMessage(ValueError, msg): ++ ClearableFileInput(attrs={"multiple": True}) +diff --git a/tests/forms_tests/widget_tests/test_fileinput.py b/tests/forms_tests/widget_tests/test_fileinput.py +index bbd7c7f..24daf5d 100644 +--- a/tests/forms_tests/widget_tests/test_fileinput.py ++++ b/tests/forms_tests/widget_tests/test_fileinput.py +@@ -1,4 +1,6 @@ ++from django.core.files.uploadedfile import SimpleUploadedFile + from django.forms import FileInput ++from django.utils.datastructures import MultiValueDict + + from .base import WidgetTest + +@@ -18,3 +20,45 @@ class FileInputTest(WidgetTest): + def test_value_omitted_from_data(self): + self.assertIs(self.widget.value_omitted_from_data({}, {}, 'field'), True) + self.assertIs(self.widget.value_omitted_from_data({}, {'field': 'value'}, 'field'), False) ++ ++ def test_multiple_error(self): ++ msg = "FileInput doesn't support uploading multiple files." ++ with self.assertRaisesMessage(ValueError, msg): ++ FileInput(attrs={"multiple": True}) ++ ++ def test_value_from_datadict_multiple(self): ++ class MultipleFileInput(FileInput): ++ allow_multiple_selected = True ++ ++ file_1 = SimpleUploadedFile("something1.txt", b"content 1") ++ file_2 = SimpleUploadedFile("something2.txt", b"content 2") ++ # Uploading multiple files is allowed. ++ widget = MultipleFileInput(attrs={"multiple": True}) ++ value = widget.value_from_datadict( ++ data={"name": "Test name"}, ++ files=MultiValueDict({"myfile": [file_1, file_2]}), ++ name="myfile", ++ ) ++ self.assertEqual(value, [file_1, file_2]) ++ # Uploading multiple files is not allowed. ++ widget = FileInput() ++ value = widget.value_from_datadict( ++ data={"name": "Test name"}, ++ files=MultiValueDict({"myfile": [file_1, file_2]}), ++ name="myfile", ++ ) ++ self.assertEqual(value, file_2) ++ ++ def test_multiple_default(self): ++ class MultipleFileInput(FileInput): ++ allow_multiple_selected = True ++ ++ tests = [ ++ (None, True), ++ ({"class": "myclass"}, True), ++ ({"multiple": False}, False), ++ ] ++ for attrs, expected in tests: ++ with self.subTest(attrs=attrs): ++ widget = MultipleFileInput(attrs=attrs) ++ self.assertIs(widget.attrs["multiple"], expected) +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch new file mode 100644 index 0000000000..2ad38d8e95 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-36053.patch @@ -0,0 +1,263 @@ +From a0b2eeeb7350d0c3a9b9be191783ff15daeffec5 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak <felisiak.mariusz@gmail.com> +Date: Thu, 27 Jul 2023 14:51:48 +0000 +Subject: [PATCH] Fixed CVE-2023-36053 + +-- Prevented potential ReDoS in EmailValidator and URLValidator. + +Thanks Seokchan Yoon for reports. + +CVE: CVE-2023-36053 + +Upstream-Status: Backport [https://github.com/django/django/commit/454f2fb93437f98917283336201b4048293f7582] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + django/core/validators.py | 9 +++++++-- + django/forms/fields.py | 3 +++ + docs/ref/forms/fields.txt | 4 ++++ + docs/ref/validators.txt | 19 ++++++++++++++++++- + docs/releases/2.2.28.txt | 9 +++++++++ + .../field_tests/test_emailfield.py | 5 ++++- + tests/forms_tests/tests/test_forms.py | 19 +++++++++++++------ + tests/validators/tests.py | 11 +++++++++++ + 8 files changed, 69 insertions(+), 10 deletions(-) + +diff --git a/django/core/validators.py b/django/core/validators.py +index 2da0688..2dbd3bf 100644 +--- a/django/core/validators.py ++++ b/django/core/validators.py +@@ -102,6 +102,7 @@ class URLValidator(RegexValidator): + message = _('Enter a valid URL.') + schemes = ['http', 'https', 'ftp', 'ftps'] + unsafe_chars = frozenset('\t\r\n') ++ max_length = 2048 + + def __init__(self, schemes=None, **kwargs): + super().__init__(**kwargs) +@@ -109,7 +110,9 @@ class URLValidator(RegexValidator): + self.schemes = schemes + + def __call__(self, value): +- if isinstance(value, str) and self.unsafe_chars.intersection(value): ++ if not isinstance(value, str) or len(value) > self.max_length: ++ raise ValidationError(self.message, code=self.code) ++ if self.unsafe_chars.intersection(value): + raise ValidationError(self.message, code=self.code) + # Check if the scheme is valid. + scheme = value.split('://')[0].lower() +@@ -190,7 +193,9 @@ class EmailValidator: + self.domain_whitelist = whitelist + + def __call__(self, value): +- if not value or '@' not in value: ++ # The maximum length of an email is 320 characters per RFC 3696 ++ # section 3. ++ if not value or '@' not in value or len(value) > 320: + raise ValidationError(self.message, code=self.code) + + user_part, domain_part = value.rsplit('@', 1) +diff --git a/django/forms/fields.py b/django/forms/fields.py +index a977256..f939338 100644 +--- a/django/forms/fields.py ++++ b/django/forms/fields.py +@@ -542,6 +542,9 @@ class FileField(Field): + def __init__(self, *, max_length=None, allow_empty_file=False, **kwargs): + self.max_length = max_length + self.allow_empty_file = allow_empty_file ++ # The default maximum length of an email is 320 characters per RFC 3696 ++ # section 3. ++ kwargs.setdefault("max_length", 320) + super().__init__(**kwargs) + + def to_python(self, data): +diff --git a/docs/ref/forms/fields.txt b/docs/ref/forms/fields.txt +index 6f76d0d..3a888ef 100644 +--- a/docs/ref/forms/fields.txt ++++ b/docs/ref/forms/fields.txt +@@ -592,6 +592,10 @@ For each field, we describe the default widget used if you don't specify + Has two optional arguments for validation, ``max_length`` and ``min_length``. + If provided, these arguments ensure that the string is at most or at least the + given length. ++ ``empty_value`` which work just as they do for :class:`CharField`. The ++ ``max_length`` argument defaults to 320 (see :rfc:`3696#section-3`). ++ ++ The default value for ``max_length`` was changed to 320 characters. + + ``FileField`` + ------------- +diff --git a/docs/ref/validators.txt b/docs/ref/validators.txt +index 75d1394..4178a1f 100644 +--- a/docs/ref/validators.txt ++++ b/docs/ref/validators.txt +@@ -125,6 +125,11 @@ to, or in lieu of custom ``field.clean()`` methods. + :param code: If not ``None``, overrides :attr:`code`. + :param whitelist: If not ``None``, overrides :attr:`whitelist`. + ++ An :class:`EmailValidator` ensures that a value looks like an email, and ++ raises a :exc:`~django.core.exceptions.ValidationError` with ++ :attr:`message` and :attr:`code` if it doesn't. Values longer than 320 ++ characters are always considered invalid. ++ + .. attribute:: message + + The error message used by +@@ -145,13 +150,17 @@ to, or in lieu of custom ``field.clean()`` methods. + ``['localhost']``. Other domains that don't contain a dot won't pass + validation, so you'd need to whitelist them as necessary. + ++ In older versions, values longer than 320 characters could be ++ considered valid. ++ + ``URLValidator`` + ---------------- + + .. class:: URLValidator(schemes=None, regex=None, message=None, code=None) + + A :class:`RegexValidator` that ensures a value looks like a URL, and raises +- an error code of ``'invalid'`` if it doesn't. ++ an error code of ``'invalid'`` if it doesn't. Values longer than ++ :attr:`max_length` characters are always considered invalid. + + Loopback addresses and reserved IP spaces are considered valid. Literal + IPv6 addresses (:rfc:`3986#section-3.2.2`) and unicode domains are both +@@ -168,6 +177,14 @@ to, or in lieu of custom ``field.clean()`` methods. + + .. _valid URI schemes: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml + ++ .. attribute:: max_length ++ ++ The maximum length of values that could be considered valid. Defaults ++ to 2048 characters. ++ ++ In older versions, values longer than 2048 characters could be ++ considered valid. ++ + ``validate_email`` + ------------------ + +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index 854c6b0..ab4884b 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -38,3 +38,12 @@ keep the old behavior, set ``allow_multiple_selected`` to ``True``. + + For more details on using the new attribute and handling of multiple files + through a single field, see :ref:`uploading_multiple_files`. ++ ++Backporting the CVE-2023-36053 fix on Django 2.2.28. ++ ++CVE-2023-36053: Potential regular expression denial of service vulnerability in ``EmailValidator``/``URLValidator`` ++=================================================================================================================== ++ ++``EmailValidator`` and ``URLValidator`` were subject to potential regular ++expression denial of service attack via a very large number of domain name ++labels of emails and URLs. +diff --git a/tests/forms_tests/field_tests/test_emailfield.py b/tests/forms_tests/field_tests/test_emailfield.py +index 826524a..fe5b644 100644 +--- a/tests/forms_tests/field_tests/test_emailfield.py ++++ b/tests/forms_tests/field_tests/test_emailfield.py +@@ -8,7 +8,10 @@ class EmailFieldTest(FormFieldAssertionsMixin, SimpleTestCase): + + def test_emailfield_1(self): + f = EmailField() +- self.assertWidgetRendersTo(f, '<input type="email" name="f" id="id_f" required>') ++ self.assertEqual(f.max_length, 320) ++ self.assertWidgetRendersTo( ++ f, '<input type="email" name="f" id="id_f" maxlength="320" required>' ++ ) + with self.assertRaisesMessage(ValidationError, "'This field is required.'"): + f.clean('') + with self.assertRaisesMessage(ValidationError, "'This field is required.'"): +diff --git a/tests/forms_tests/tests/test_forms.py b/tests/forms_tests/tests/test_forms.py +index d4e421d..8893f89 100644 +--- a/tests/forms_tests/tests/test_forms.py ++++ b/tests/forms_tests/tests/test_forms.py +@@ -422,11 +422,18 @@ class FormsTestCase(SimpleTestCase): + get_spam = BooleanField() + + f = SignupForm(auto_id=False) +- self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" required>') ++ self.assertHTMLEqual( ++ str(f["email"]), ++ '<input type="email" name="email" maxlength="320" required>', ++ ) + self.assertHTMLEqual(str(f['get_spam']), '<input type="checkbox" name="get_spam" required>') + + f = SignupForm({'email': 'test@example.com', 'get_spam': True}, auto_id=False) +- self.assertHTMLEqual(str(f['email']), '<input type="email" name="email" value="test@example.com" required>') ++ self.assertHTMLEqual( ++ str(f["email"]), ++ '<input type="email" name="email" maxlength="320" value="test@example.com" ' ++ "required>", ++ ) + self.assertHTMLEqual( + str(f['get_spam']), + '<input checked type="checkbox" name="get_spam" required>', +@@ -2780,7 +2787,7 @@ Good luck picking a username that doesn't already exist.</p> + <option value="true">Yes</option> + <option value="false">No</option> + </select></li> +-<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></li> ++<li><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></li> + <li class="required error"><ul class="errorlist"><li>This field is required.</li></ul> + <label class="required" for="id_age">Age:</label> <input type="number" name="age" id="id_age" required></li>""" + ) +@@ -2796,7 +2803,7 @@ Good luck picking a username that doesn't already exist.</p> + <option value="true">Yes</option> + <option value="false">No</option> + </select></p> +-<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email"></p> ++<p><label for="id_email">Email:</label> <input type="email" name="email" id="id_email" maxlength="320"></p> + <ul class="errorlist"><li>This field is required.</li></ul> + <p class="required error"><label class="required" for="id_age">Age:</label> + <input type="number" name="age" id="id_age" required></p>""" +@@ -2815,7 +2822,7 @@ Good luck picking a username that doesn't already exist.</p> + <option value="false">No</option> + </select></td></tr> + <tr><th><label for="id_email">Email:</label></th><td> +-<input type="email" name="email" id="id_email"></td></tr> ++<input type="email" name="email" id="id_email" maxlength="320"></td></tr> + <tr class="required error"><th><label class="required" for="id_age">Age:</label></th> + <td><ul class="errorlist"><li>This field is required.</li></ul> + <input type="number" name="age" id="id_age" required></td></tr>""" +@@ -3428,7 +3435,7 @@ Good luck picking a username that doesn't already exist.</p> + f = CommentForm(data, auto_id=False, error_class=DivErrorList) + self.assertHTMLEqual(f.as_p(), """<p>Name: <input type="text" name="name" maxlength="50"></p> + <div class="errorlist"><div class="error">Enter a valid email address.</div></div> +-<p>Email: <input type="email" name="email" value="invalid" required></p> ++<p>Email: <input type="email" name="email" value="invalid" maxlength="320" required></p> + <div class="errorlist"><div class="error">This field is required.</div></div> + <p>Comment: <input type="text" name="comment" required></p>""") + +diff --git a/tests/validators/tests.py b/tests/validators/tests.py +index 1f09fb5..8204f00 100644 +--- a/tests/validators/tests.py ++++ b/tests/validators/tests.py +@@ -58,6 +58,7 @@ TEST_DATA = [ + + (validate_email, 'example@atm.%s' % ('a' * 64), ValidationError), + (validate_email, 'example@%s.atm.%s' % ('b' * 64, 'a' * 63), ValidationError), ++ (validate_email, "example@%scom" % (("a" * 63 + ".") * 100), ValidationError), + (validate_email, None, ValidationError), + (validate_email, '', ValidationError), + (validate_email, 'abc', ValidationError), +@@ -242,6 +243,16 @@ TEST_DATA = [ + (URLValidator(EXTENDED_SCHEMES), 'git+ssh://git@github.com/example/hg-git.git', None), + + (URLValidator(EXTENDED_SCHEMES), 'git://-invalid.com', ValidationError), ++ ( ++ URLValidator(), ++ "http://example." + ("a" * 63 + ".") * 1000 + "com", ++ ValidationError, ++ ), ++ ( ++ URLValidator(), ++ "http://userid:password" + "d" * 2000 + "@example.aaaaaaaaaaaaa.com", ++ None, ++ ), + # Newlines and tabs are not accepted. + (URLValidator(), 'http://www.djangoproject.com/\n', ValidationError), + (URLValidator(), 'http://[::ffff:192.9.5.5]\n', ValidationError), +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch new file mode 100644 index 0000000000..9bc38b0cca --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-41164.patch @@ -0,0 +1,105 @@ +From 9c95e8fec62153f8dfcc45a70b8a68d74333a66f Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak <felisiak.mariusz@gmail.com> +Date: Tue, 26 Sep 2023 10:23:30 +0000 +Subject: [PATCH] Fixed CVE-2023-41164 -- Fixed potential DoS in + django.utils.encoding.uri_to_iri(). + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. + +Co-authored-by: nessita <124304+nessita@users.noreply.github.com> + +CVE: CVE-2023-41164 + +Upstream-Status: Backport [https://github.com/django/django/commit/3f41d6d62929dfe53eda8109b3b836f26645bdce] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + django/utils/encoding.py | 6 ++++-- + docs/releases/2.2.28.txt | 9 +++++++++ + tests/utils_tests/test_encoding.py | 21 ++++++++++++++++++++- + 3 files changed, 33 insertions(+), 3 deletions(-) + +diff --git a/django/utils/encoding.py b/django/utils/encoding.py +index 98da647..3769702 100644 +--- a/django/utils/encoding.py ++++ b/django/utils/encoding.py +@@ -225,6 +225,7 @@ def repercent_broken_unicode(path): + repercent-encode any octet produced that is not part of a strictly legal + UTF-8 octet sequence. + """ ++ changed_parts = [] + while True: + try: + path.decode() +@@ -232,9 +233,10 @@ def repercent_broken_unicode(path): + # CVE-2019-14235: A recursion shouldn't be used since the exception + # handling uses massive amounts of memory + repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~") +- path = path[:e.start] + force_bytes(repercent) + path[e.end:] ++ changed_parts.append(path[: e.start] + repercent.encode()) ++ path = path[e.end :] + else: +- return path ++ return b"".join(changed_parts) + path + + + def filepath_to_uri(path): +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index ab4884b..40eb230 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -47,3 +47,12 @@ CVE-2023-36053: Potential regular expression denial of service vulnerability in + ``EmailValidator`` and ``URLValidator`` were subject to potential regular + expression denial of service attack via a very large number of domain name + labels of emails and URLs. ++ ++Backporting the CVE-2023-41164 fix on Django 2.2.28. ++ ++CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` ++=================================================================================================== ++ ++``django.utils.encoding.uri_to_iri()`` was subject to potential denial of ++service attack via certain inputs with a very large number of Unicode ++characters. +diff --git a/tests/utils_tests/test_encoding.py b/tests/utils_tests/test_encoding.py +index ea7ba5f..93a3162 100644 +--- a/tests/utils_tests/test_encoding.py ++++ b/tests/utils_tests/test_encoding.py +@@ -1,8 +1,9 @@ + import datetime ++import inspect + import sys + import unittest + from unittest import mock +-from urllib.parse import quote_plus ++from urllib.parse import quote, quote_plus + + from django.test import SimpleTestCase + from django.utils.encoding import ( +@@ -100,6 +101,24 @@ class TestEncodingUtils(SimpleTestCase): + except RecursionError: + self.fail('Unexpected RecursionError raised.') + ++ def test_repercent_broken_unicode_small_fragments(self): ++ data = b"test\xfctest\xfctest\xfc" ++ decoded_paths = [] ++ ++ def mock_quote(*args, **kwargs): ++ # The second frame is the call to repercent_broken_unicode(). ++ decoded_paths.append(inspect.currentframe().f_back.f_locals["path"]) ++ return quote(*args, **kwargs) ++ ++ with mock.patch("django.utils.encoding.quote", mock_quote): ++ self.assertEqual(repercent_broken_unicode(data), b"test%FCtest%FCtest%FC") ++ ++ # decode() is called on smaller fragment of the path each time. ++ self.assertEqual( ++ decoded_paths, ++ [b"test\xfctest\xfctest\xfc", b"test\xfctest\xfc", b"test\xfc"], ++ ) ++ + + class TestRFC3987IEncodingUtils(unittest.TestCase): + +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch new file mode 100644 index 0000000000..dbfb9b68a8 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-43665.patch @@ -0,0 +1,199 @@ +From b269a0063e9b10a6c88c92b24d1b92c7421950de Mon Sep 17 00:00:00 2001 +From: Natalia <124304+nessita@users.noreply.github.com> +Date: Wed, 29 Nov 2023 12:20:01 +0000 +Subject: [PATCH 1/2] Fixed CVE-2023-43665 -- Mitigated potential DoS in + django.utils.text.Truncator when truncating HTML text. + +Thanks Wenchao Li of Alibaba Group for the report. + +CVE: CVE-2023-43665 + +Upstream-Status: Backport [https://github.com/django/django/commit/ccdade1a0262537868d7ca64374de3d957ca50c5] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + django/utils/text.py | 18 ++++++++++++++++- + docs/ref/templates/builtins.txt | 20 +++++++++++++++++++ + docs/releases/2.2.28.txt | 20 +++++++++++++++++++ + tests/utils_tests/test_text.py | 35 ++++++++++++++++++++++++--------- + 4 files changed, 83 insertions(+), 10 deletions(-) + +diff --git a/django/utils/text.py b/django/utils/text.py +index 1fae7b2..06a377b 100644 +--- a/django/utils/text.py ++++ b/django/utils/text.py +@@ -57,7 +57,14 @@ def wrap(text, width): + class Truncator(SimpleLazyObject): + """ + An object used to truncate text, either by characters or words. ++ ++ When truncating HTML text (either chars or words), input will be limited to ++ at most `MAX_LENGTH_HTML` characters. + """ ++ ++ # 5 million characters are approximately 4000 text pages or 3 web pages. ++ MAX_LENGTH_HTML = 5_000_000 ++ + def __init__(self, text): + super().__init__(lambda: str(text)) + +@@ -154,6 +161,11 @@ class Truncator(SimpleLazyObject): + if words and length <= 0: + return '' + ++ size_limited = False ++ if len(text) > self.MAX_LENGTH_HTML: ++ text = text[: self.MAX_LENGTH_HTML] ++ size_limited = True ++ + html4_singlets = ( + 'br', 'col', 'link', 'base', 'img', + 'param', 'area', 'hr', 'input' +@@ -203,10 +215,14 @@ class Truncator(SimpleLazyObject): + # Add it to the start of the open tags list + open_tags.insert(0, tagname) + ++ truncate_text = self.add_truncation_text("", truncate) ++ + if current_len <= length: ++ if size_limited and truncate_text: ++ text += truncate_text + return text ++ + out = text[:end_text_pos] +- truncate_text = self.add_truncation_text('', truncate) + if truncate_text: + out += truncate_text + # Close any tags still open +diff --git a/docs/ref/templates/builtins.txt b/docs/ref/templates/builtins.txt +index c4b0fa3..4faab38 100644 +--- a/docs/ref/templates/builtins.txt ++++ b/docs/ref/templates/builtins.txt +@@ -2318,6 +2318,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be + + Newlines in the HTML content will be preserved. + ++.. admonition:: Size of input string ++ ++ Processing large, potentially malformed HTML strings can be ++ resource-intensive and impact service performance. ``truncatechars_html`` ++ limits input to the first five million characters. ++ ++.. versionchanged:: 2.2.28 ++ ++ In older versions, strings over five million characters were processed. ++ + .. templatefilter:: truncatewords + + ``truncatewords`` +@@ -2356,6 +2366,16 @@ If ``value`` is ``"<p>Joel is a slug</p>"``, the output will be + + Newlines in the HTML content will be preserved. + ++.. admonition:: Size of input string ++ ++ Processing large, potentially malformed HTML strings can be ++ resource-intensive and impact service performance. ``truncatewords_html`` ++ limits input to the first five million characters. ++ ++.. versionchanged:: 2.2.28 ++ ++ In older versions, strings over five million characters were processed. ++ + .. templatefilter:: unordered_list + + ``unordered_list`` +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index 40eb230..6a38e9c 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -56,3 +56,23 @@ CVE-2023-41164: Potential denial of service vulnerability in ``django.utils.enco + ``django.utils.encoding.uri_to_iri()`` was subject to potential denial of + service attack via certain inputs with a very large number of Unicode + characters. ++ ++Backporting the CVE-2023-43665 fix on Django 2.2.28. ++ ++CVE-2023-43665: Denial-of-service possibility in ``django.utils.text.Truncator`` ++================================================================================ ++ ++Following the fix for :cve:`2019-14232`, the regular expressions used in the ++implementation of ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` ++methods (with ``html=True``) were revised and improved. However, these regular ++expressions still exhibited linear backtracking complexity, so when given a ++very long, potentially malformed HTML input, the evaluation would still be ++slow, leading to a potential denial of service vulnerability. ++ ++The ``chars()`` and ``words()`` methods are used to implement the ++:tfilter:`truncatechars_html` and :tfilter:`truncatewords_html` template ++filters, which were thus also vulnerable. ++ ++The input processed by ``Truncator``, when operating in HTML mode, has been ++limited to the first five million characters in order to avoid potential ++performance and memory issues. +diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py +index 27e440b..cb3063d 100644 +--- a/tests/utils_tests/test_text.py ++++ b/tests/utils_tests/test_text.py +@@ -1,5 +1,6 @@ + import json + import sys ++from unittest.mock import patch + + from django.core.exceptions import SuspiciousFileOperation + from django.test import SimpleTestCase +@@ -87,11 +88,17 @@ class TestUtilsText(SimpleTestCase): + # lazy strings are handled correctly + self.assertEqual(text.Truncator(lazystr('The quick brown fox')).chars(10), 'The quick…') + +- def test_truncate_chars_html(self): ++ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) ++ def test_truncate_chars_html_size_limit(self): ++ max_len = text.Truncator.MAX_LENGTH_HTML ++ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 ++ valid_html = "<p>Joel is a slug</p>" # 14 chars + perf_test_values = [ +- (('</a' + '\t' * 50000) + '//>', None), +- ('&' * 50000, '&' * 9 + '…'), +- ('_X<<<<<<<<<<<>', None), ++ ("</a" + "\t" * (max_len - 6) + "//>", None), ++ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"), ++ ("&" * bigger_len, "&" * 9 + "…"), ++ ("_X<<<<<<<<<<<>", None), ++ (valid_html * bigger_len, "<p>Joel is a…</p>"), # 10 chars + ] + for value, expected in perf_test_values: + with self.subTest(value=value): +@@ -149,15 +156,25 @@ class TestUtilsText(SimpleTestCase): + truncator = text.Truncator('<p>I <3 python, what about you?</p>') + self.assertEqual('<p>I <3 python,…</p>', truncator.words(3, html=True)) + ++ @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) ++ def test_truncate_words_html_size_limit(self): ++ max_len = text.Truncator.MAX_LENGTH_HTML ++ bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 ++ valid_html = "<p>Joel is a slug</p>" # 4 words + perf_test_values = [ +- ('</a' + '\t' * 50000) + '//>', +- '&' * 50000, +- '_X<<<<<<<<<<<>', ++ ("</a" + "\t" * (max_len - 6) + "//>", None), ++ ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"), ++ ("&" * max_len, None), # no change ++ ("&" * bigger_len, "&" * max_len + "…"), ++ ("_X<<<<<<<<<<<>", None), ++ (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"), # 50 words + ] +- for value in perf_test_values: ++ for value, expected in perf_test_values: + with self.subTest(value=value): + truncator = text.Truncator(value) +- self.assertEqual(value, truncator.words(50, html=True)) ++ self.assertEqual( ++ expected if expected else value, truncator.words(50, html=True) ++ ) + + def test_wrap(self): + digits = '1234 67 9' +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch new file mode 100644 index 0000000000..b7dda41f8f --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2023-46695.patch @@ -0,0 +1,90 @@ +From 32bc7fa517be1d50239827520cc13f3112d3d748 Mon Sep 17 00:00:00 2001 +From: Mariusz Felisiak <felisiak.mariusz@gmail.com> +Date: Wed, 29 Nov 2023 12:49:41 +0000 +Subject: [PATCH 2/2] Fixed CVE-2023-46695 -- Fixed potential DoS in + UsernameField on Windows. + +Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. + +CVE: CVE-2023-46695 + +Upstream-Status: Backport [https://github.com/django/django/commit/f9a7fb8466a7ba4857eaf930099b5258f3eafb2b] + +Signed-off-by: Narpat Mali <narpat.mali@windriver.com> +--- + django/contrib/auth/forms.py | 10 +++++++++- + docs/releases/2.2.28.txt | 14 ++++++++++++++ + tests/auth_tests/test_forms.py | 8 +++++++- + 3 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/django/contrib/auth/forms.py b/django/contrib/auth/forms.py +index e6f73fe..26d3ca7 100644 +--- a/django/contrib/auth/forms.py ++++ b/django/contrib/auth/forms.py +@@ -68,7 +68,15 @@ class ReadOnlyPasswordHashField(forms.Field): + + class UsernameField(forms.CharField): + def to_python(self, value): +- return unicodedata.normalize('NFKC', super().to_python(value)) ++ value = super().to_python(value) ++ if self.max_length is not None and len(value) > self.max_length: ++ # Normalization can increase the string length (e.g. ++ # "ff" -> "ff", "½" -> "1⁄2") but cannot reduce it, so there is no ++ # point in normalizing invalid data. Moreover, Unicode ++ # normalization is very slow on Windows and can be a DoS attack ++ # vector. ++ return value ++ return unicodedata.normalize("NFKC", value) + + + class UserCreationForm(forms.ModelForm): +diff --git a/docs/releases/2.2.28.txt b/docs/releases/2.2.28.txt +index 6a38e9c..c653cb6 100644 +--- a/docs/releases/2.2.28.txt ++++ b/docs/releases/2.2.28.txt +@@ -76,3 +76,17 @@ filters, which were thus also vulnerable. + The input processed by ``Truncator``, when operating in HTML mode, has been + limited to the first five million characters in order to avoid potential + performance and memory issues. ++ ++Backporting the CVE-2023-46695 fix on Django 2.2.28. ++ ++CVE-2023-46695: Potential denial of service vulnerability in ``UsernameField`` on Windows ++========================================================================================= ++ ++The :func:`NFKC normalization <python:unicodedata.normalize>` is slow on ++Windows. As a consequence, ``django.contrib.auth.forms.UsernameField`` was ++subject to a potential denial of service attack via certain inputs with a very ++large number of Unicode characters. ++ ++In order to avoid the vulnerability, invalid values longer than ++``UsernameField.max_length`` are no longer normalized, since they cannot pass ++validation anyway. +diff --git a/tests/auth_tests/test_forms.py b/tests/auth_tests/test_forms.py +index bed23af..e73d4b8 100644 +--- a/tests/auth_tests/test_forms.py ++++ b/tests/auth_tests/test_forms.py +@@ -6,7 +6,7 @@ from django import forms + from django.contrib.auth.forms import ( + AdminPasswordChangeForm, AuthenticationForm, PasswordChangeForm, + PasswordResetForm, ReadOnlyPasswordHashField, ReadOnlyPasswordHashWidget, +- SetPasswordForm, UserChangeForm, UserCreationForm, ++ SetPasswordForm, UserChangeForm, UserCreationForm, UsernameField, + ) + from django.contrib.auth.models import User + from django.contrib.auth.signals import user_login_failed +@@ -132,6 +132,12 @@ class UserCreationFormTest(TestDataMixin, TestCase): + self.assertNotEqual(user.username, ohm_username) + self.assertEqual(user.username, 'testΩ') # U+03A9 GREEK CAPITAL LETTER OMEGA + ++ def test_invalid_username_no_normalize(self): ++ field = UsernameField(max_length=254) ++ # Usernames are not normalized if they are too long. ++ self.assertEqual(field.to_python("½" * 255), "½" * 255) ++ self.assertEqual(field.to_python("ff" * 254), "ff" * 254) ++ + def test_duplicate_normalized_unicode(self): + """ + To prevent almost identical usernames, visually identical but differing +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-24680.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-24680.patch new file mode 100644 index 0000000000..aec67453ae --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-24680.patch @@ -0,0 +1,48 @@ +From 572ea07e84b38ea8de0551f4b4eda685d91d09d2 +From: Adam Johnson <me@adamj.eu> +Date: Mon Jan 22 13:21:13 2024 +0000 +Subject: [PATCH] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma + template filter + +Thanks Seokchan Yoon for the report. + +Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com> +Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> +Co-authored-by: Shai Berger <shai@platonix.com> + +CVE: CVE-2024-24680 + +Upstream-Status: Backport [https://github.com/django/django/commit/572ea07e84b38ea8de0551f4b4eda685d91d09d2] + +Signed-off-by: Rahul Janani Pandi <RahulJanani.Pandi@windriver.com> +--- + django/contrib/humanize/templatetags/humanize.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/django/contrib/humanize/templatetags/humanize.py b/django/contrib/humanize/templatetags/humanize.py +index 194c7e8..ee22a45 100644 +--- a/django/contrib/humanize/templatetags/humanize.py ++++ b/django/contrib/humanize/templatetags/humanize.py +@@ -71,13 +71,14 @@ def intcomma(value, use_l10n=True): + return intcomma(value, False) + else: + return number_format(value, force_grouping=True) +- orig = str(value) +- new = re.sub(r"^(-?\d+)(\d{3})", r'\g<1>,\g<2>', orig) +- if orig == new: +- return new +- else: +- return intcomma(new, use_l10n) + ++ result = str(value) ++ match = re.match(r"-?\d+", result) ++ if match: ++ prefix = match[0] ++ prefix_with_commas = re.sub(r"\d{3}", r"\g<0>,", prefix[::-1])[::-1] ++ result = prefix_with_commas + result[len(prefix) :] ++ return result + + # A tuple of standard large number to their converters + intword_converters = ( +-- +2.40.0 diff --git a/meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch b/meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch new file mode 100644 index 0000000000..e6b58fca79 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-django/CVE-2024-42005.patch @@ -0,0 +1,84 @@ +From f4af67b9b41e0f4c117a8741da3abbd1c869ab28 Mon Sep 17 00:00:00 2001 +From: Simon Charette <charette.s@gmail.com> +Date: Thu, 25 Jul 2024 18:19:13 +0200 +Subject: [PATCH] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL + injection attacks against JSON fields. + +Thanks Eyal (eyalgabay) for the report. + +CVE: CVE-2024-42005 + +Upstream-Status: Backport [https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28] + +Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> +--- + django/db/models/sql/query.py | 2 ++ + tests/expressions/models.py | 7 +++++++ + tests/expressions/test_queryset_values.py | 17 +++++++++++++++-- + 3 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/django/db/models/sql/query.py b/django/db/models/sql/query.py +index 1e823cf..9b054bd 100644 +--- a/django/db/models/sql/query.py ++++ b/django/db/models/sql/query.py +@@ -2019,6 +2019,8 @@ class Query: + self.clear_select_fields() + + if fields: ++ for field in fields: ++ self.check_alias(field) + field_names = [] + extra_names = [] + annotation_names = [] +diff --git a/tests/expressions/models.py b/tests/expressions/models.py +index 33f7850..fb80938 100644 +--- a/tests/expressions/models.py ++++ b/tests/expressions/models.py +@@ -97,3 +97,10 @@ class UUID(models.Model): + + def __str__(self): + return "%s" % self.uuid ++ ++ ++class JSONFieldModel(models.Model): ++ data = models.JSONField(null=True) ++ ++ class Meta: ++ required_db_features = {"supports_json_field"} +diff --git a/tests/expressions/test_queryset_values.py b/tests/expressions/test_queryset_values.py +index 0804531..bd52b8e 100644 +--- a/tests/expressions/test_queryset_values.py ++++ b/tests/expressions/test_queryset_values.py +@@ -1,8 +1,8 @@ + from django.db.models.aggregates import Sum + from django.db.models.expressions import F +-from django.test import TestCase ++from django.test import TestCase, skipUnlessDBFeature + +-from .models import Company, Employee ++from .models import Company, Employee, JSONFieldModel + + + class ValuesExpressionsTests(TestCase): +@@ -36,6 +36,19 @@ class ValuesExpressionsTests(TestCase): + with self.assertRaisesMessage(ValueError, msg): + Company.objects.values(**{crafted_alias: F("ceo__salary")}) + ++ @skipUnlessDBFeature("supports_json_field") ++ def test_values_expression_alias_sql_injection_json_field(self): ++ crafted_alias = """injected_name" from "expressions_company"; --""" ++ msg = ( ++ "Column aliases cannot contain whitespace characters, quotation marks, " ++ "semicolons, or SQL comments." ++ ) ++ with self.assertRaisesMessage(ValueError, msg): ++ JSONFieldModel.objects.values(f"data__{crafted_alias}") ++ ++ with self.assertRaisesMessage(ValueError, msg): ++ JSONFieldModel.objects.values_list(f"data__{crafted_alias}") ++ + def test_values_expression_group_by(self): + # values() applies annotate() first, so values selected are grouped by + # id, not firstname. +-- +2.40.0 |