101 lines
4.3 KiB
Diff
101 lines
4.3 KiB
Diff
|
From 80353a42e41fd22933184a30f2e2c04d0c274c83 Mon Sep 17 00:00:00 2001
|
|||
|
|
From: starlet-dx <15929766099@163.com>
|
|||
|
|
Date: Mon, 13 Feb 2023 19:31:46 +0800
|
|||
|
|
Subject: [PATCH 1/1] [3.2.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological values for Accept-Language.
|
|||
|
|
|
|||
|
|
The parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very large.
|
|||
|
|
|
|||
|
|
Accept-Language headers are now limited to a maximum length in order to avoid this issue.
|
|||
|
|
---
|
|||
|
|
django/utils/translation/trans_real.py | 32 +++++++++++++++++++++++++-
|
|||
|
|
tests/i18n/tests.py | 12 ++++++++++
|
|||
|
|
2 files changed, 43 insertions(+), 1 deletion(-)
|
|||
|
|
|
|||
|
|
diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py
|
|||
|
|
index 8042f6f..b262a50 100644
|
|||
|
|
--- a/django/utils/translation/trans_real.py
|
|||
|
|
+++ b/django/utils/translation/trans_real.py
|
|||
|
|
@@ -30,6 +30,11 @@ _default = None
|
|||
|
|
# magic gettext number to separate context from message
|
|||
|
|
CONTEXT_SEPARATOR = "\x04"
|
|||
|
|
|
|||
|
|
+# Maximum number of characters that will be parsed from the Accept-Language
|
|||
|
|
+# header to prevent possible denial of service or memory exhaustion attacks.
|
|||
|
|
+# About 10x longer than the longest value shown on MDN’s Accept-Language page.
|
|||
|
|
+ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
|
|||
|
|
+
|
|||
|
|
# Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
|
|||
|
|
# and RFC 3066, section 2.1
|
|||
|
|
accept_language_re = _lazy_re_compile(r'''
|
|||
|
|
@@ -556,7 +561,7 @@ def get_language_from_request(request, check_path=False):
|
|||
|
|
|
|||
|
|
|
|||
|
|
@functools.lru_cache(maxsize=1000)
|
|||
|
|
-def parse_accept_lang_header(lang_string):
|
|||
|
|
+def _parse_accept_lang_header(lang_string):
|
|||
|
|
"""
|
|||
|
|
Parse the lang_string, which is the body of an HTTP Accept-Language
|
|||
|
|
header, and return a tuple of (lang, q-value), ordered by 'q' values.
|
|||
|
|
@@ -578,3 +583,28 @@ def parse_accept_lang_header(lang_string):
|
|||
|
|
result.append((lang, priority))
|
|||
|
|
result.sort(key=lambda k: k[1], reverse=True)
|
|||
|
|
return tuple(result)
|
|||
|
|
+
|
|||
|
|
+
|
|||
|
|
+def parse_accept_lang_header(lang_string):
|
|||
|
|
+ """
|
|||
|
|
+ Parse the value of the Accept-Language header up to a maximum length.
|
|||
|
|
+
|
|||
|
|
+ The value of the header is truncated to a maximum length to avoid potential
|
|||
|
|
+ denial of service and memory exhaustion attacks. Excessive memory could be
|
|||
|
|
+ used if the raw value is very large as it would be cached due to the use of
|
|||
|
|
+ functools.lru_cache() to avoid repetitive parsing of common header values.
|
|||
|
|
+ """
|
|||
|
|
+ # If the header value doesn't exceed the maximum allowed length, parse it.
|
|||
|
|
+ if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
|
|||
|
|
+ return _parse_accept_lang_header(lang_string)
|
|||
|
|
+
|
|||
|
|
+ # If there is at least one comma in the value, parse up to the last comma
|
|||
|
|
+ # before the max length, skipping any truncated parts at the end of the
|
|||
|
|
+ # header value.
|
|||
|
|
+ index = lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)
|
|||
|
|
+ if index > 0:
|
|||
|
|
+ return _parse_accept_lang_header(lang_string[:index])
|
|||
|
|
+
|
|||
|
|
+ # Don't attempt to parse if there is only one language-range value which is
|
|||
|
|
+ # longer than the maximum allowed length and so truncated.
|
|||
|
|
+ return ()
|
|||
|
|
diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
|
|||
|
|
index 7edceb1..f379f8f 100644
|
|||
|
|
--- a/tests/i18n/tests.py
|
|||
|
|
+++ b/tests/i18n/tests.py
|
|||
|
|
@@ -1352,6 +1352,14 @@ class MiscTests(SimpleTestCase):
|
|||
|
|
('de;q=0.', [('de', 0.0)]),
|
|||
|
|
('en; q=1,', [('en', 1.0)]),
|
|||
|
|
('en; q=1.0, * ; q=0.5', [('en', 1.0), ('*', 0.5)]),
|
|||
|
|
+ (
|
|||
|
|
+ 'en' + '-x' * 20,
|
|||
|
|
+ [('en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x', 1.0)],
|
|||
|
|
+ ),
|
|||
|
|
+ (
|
|||
|
|
+ ', '.join(['en; q=1.0'] * 20),
|
|||
|
|
+ [('en', 1.0)] * 20,
|
|||
|
|
+ ),
|
|||
|
|
# Bad headers
|
|||
|
|
('en-gb;q=1.0000', []),
|
|||
|
|
('en;q=0.1234', []),
|
|||
|
|
@@ -1367,6 +1375,10 @@ class MiscTests(SimpleTestCase):
|
|||
|
|
('12-345', []),
|
|||
|
|
('', []),
|
|||
|
|
('en;q=1e0', []),
|
|||
|
|
+ # Invalid as language-range value too long.
|
|||
|
|
+ ('xxxxxxxx' + '-xxxxxxxx' * 500, []),
|
|||
|
|
+ # Header value too long, only parse up to limit.
|
|||
|
|
+ (', '.join(['en; q=1.0'] * 500), [('en', 1.0)] * 45),
|
|||
|
|
]
|
|||
|
|
for value, expected in tests:
|
|||
|
|
with self.subTest(value=value):
|
|||
|
|
--
|
|||
|
|
2.30.0
|
|||
|
|
|