[3.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-08-22 08:53:03 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-09-04 12:23:18 +0200
commit: 6f030b1149bd8fa4ba90452e77cb3edc095ce54e (patch)
tree: 17b06fe9cf59fcdd6f0f322eb0ab01a84eda4133 /django/utils/encoding.py
parent: 73350a63698199c9f1269647722ea96c7f9a8aa0 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/django/utils/encoding.py b/django/utils/encoding.py
index e1ebacef47..c5c4463b1c 100644
--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
@@ -229,6 +229,7 @@ def repercent_broken_unicode(path):
     repercent-encode any octet produced that is not part of a strictly legal
     UTF-8 octet sequence.
     """
+    changed_parts = []
     while True:
         try:
             path.decode()
@@ -236,9 +237,10 @@ def repercent_broken_unicode(path):
             # CVE-2019-14235: A recursion shouldn't be used since the exception
             # handling uses massive amounts of memory
             repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
-            path = path[:e.start] + repercent.encode() + path[e.end:]
+            changed_parts.append(path[:e.start] + repercent.encode())
+            path = path[e.end:]
         else:
-            return path
+            return b"".join(changed_parts) + path
 
 
 def filepath_to_uri(path):
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-08-22 08:53:03 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-09-04 12:23:18 +0200
commit	6f030b1149bd8fa4ba90452e77cb3edc095ce54e (patch)
tree	17b06fe9cf59fcdd6f0f322eb0ab01a84eda4133 /django/utils/encoding.py
parent	73350a63698199c9f1269647722ea96c7f9a8aa0 (diff)