From ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0 Mon Sep 17 00:00:00 2001 From: Mariusz Felisiak Date: Tue, 22 Aug 2023 08:53:03 +0200 Subject: [4.1.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri(). Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com> --- django/utils/encoding.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'django/utils/encoding.py') diff --git a/django/utils/encoding.py b/django/utils/encoding.py index 360eb91ed5..5eb14d0933 100644 --- a/django/utils/encoding.py +++ b/django/utils/encoding.py @@ -220,6 +220,7 @@ def repercent_broken_unicode(path): repercent-encode any octet produced that is not part of a strictly legal UTF-8 octet sequence. """ + changed_parts = [] while True: try: path.decode() @@ -227,9 +228,10 @@ def repercent_broken_unicode(path): # CVE-2019-14235: A recursion shouldn't be used since the exception # handling uses massive amounts of memory repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~") - path = path[: e.start] + repercent.encode() + path[e.end :] + changed_parts.append(path[: e.start] + repercent.encode()) + path = path[e.end :] else: - return path + return b"".join(changed_parts) + path def filepath_to_uri(path): -- cgit v1.3