diff options
| author | Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> | 2024-06-26 12:11:54 +0200 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2024-07-09 09:21:19 -0300 |
| commit | 9e9792228a6bb5d6402a5d645bc3be4cf364aefb (patch) | |
| tree | ea41fef55606e996dac4bd488fce2afe9df99a09 /django/utils | |
| parent | fe4a0bbe2088d0c2b331216dad21ccd0bb3ee80d (diff) | |
Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant().
Language codes are now parsed with a maximum length limit of 500 chars.
Thanks to MProgrammer for the report.
Diffstat (limited to 'django/utils')
| -rw-r--r-- | django/utils/translation/trans_real.py | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/django/utils/translation/trans_real.py b/django/utils/translation/trans_real.py index a629528717..4439fdad3f 100644 --- a/django/utils/translation/trans_real.py +++ b/django/utils/translation/trans_real.py @@ -32,9 +32,10 @@ _default = None CONTEXT_SEPARATOR = "\x04" # Maximum number of characters that will be parsed from the Accept-Language -# header to prevent possible denial of service or memory exhaustion attacks. -# About 10x longer than the longest value shown on MDN’s Accept-Language page. -ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500 +# header or cookie to prevent possible denial of service or memory exhaustion +# attacks. About 10x longer than the longest value shown on MDN’s +# Accept-Language page. +LANGUAGE_CODE_MAX_LENGTH = 500 # Format of Accept-Language header values. From RFC 9110 Sections 12.4.2 and # 12.5.4, and RFC 5646 Section 2.1. @@ -498,11 +499,25 @@ def get_supported_language_variant(lang_code, strict=False): If `strict` is False (the default), look for a country-specific variant when neither the language code nor its generic variant is found. + The language code is truncated to a maximum length to avoid potential + denial of service attacks. + lru_cache should have a maxsize to prevent from memory exhaustion attacks, as the provided language codes are taken from the HTTP request. See also <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>. """ if lang_code: + # Truncate the language code to a maximum length to avoid potential + # denial of service attacks. + if len(lang_code) > LANGUAGE_CODE_MAX_LENGTH: + if ( + not strict + and (index := lang_code.rfind("-", 0, LANGUAGE_CODE_MAX_LENGTH)) > 0 + ): + # There is a generic variant under the maximum length accepted length. + lang_code = lang_code[:index] + else: + raise ValueError("'lang_code' exceeds the maximum accepted length") # If 'zh-hant-tw' is not supported, try special fallback or subsequent # language codes i.e. 'zh-hant' and 'zh'. possible_lang_codes = [lang_code] @@ -626,13 +641,13 @@ def parse_accept_lang_header(lang_string): functools.lru_cache() to avoid repetitive parsing of common header values. """ # If the header value doesn't exceed the maximum allowed length, parse it. - if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH: + if len(lang_string) <= LANGUAGE_CODE_MAX_LENGTH: return _parse_accept_lang_header(lang_string) # If there is at least one comma in the value, parse up to the last comma # before the max length, skipping any truncated parts at the end of the # header value. - if (index := lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)) > 0: + if (index := lang_string.rfind(",", 0, LANGUAGE_CODE_MAX_LENGTH)) > 0: return _parse_accept_lang_header(lang_string[:index]) # Don't attempt to parse if there is only one language-range value which is |