[1.11.x] Fixed CVE-2019-14235 -- Fixed potential memory exhaustion in django.utils.encoding.uri_to_iri().

Thanks to Guido Vranken for initial report.
author: Florian Apolloner <florian@apolloner.eu> 2019-07-19 17:04:53 +0200
committer: Carlton Gibson <carlton.gibson@noumenal.es> 2019-07-31 21:29:17 +0200
commit: 869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79 (patch)
tree: dbadabbbb01d7b0526b1f802be11842f863e3c25 /django
parent: ed682a24fca774818542757651bfba576c3fc3ef (diff)
1 files changed, 10 insertions, 7 deletions
diff --git a/django/utils/encoding.py b/django/utils/encoding.py
index 999ffae19a..a29ef2be58 100644
--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
@@ -237,13 +237,16 @@ def repercent_broken_unicode(path):
     we need to re-percent-encode any octet produced that is not part of a
     strictly legal UTF-8 octet sequence.
     """
-    try:
-        path.decode('utf-8')
-    except UnicodeDecodeError as e:
-        repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
-        path = repercent_broken_unicode(
-            path[:e.start] + force_bytes(repercent) + path[e.end:])
-    return path
+    while True:
+        try:
+            path.decode('utf-8')
+        except UnicodeDecodeError as e:
+            # CVE-2019-14235: A recursion shouldn't be used since the exception
+            # handling uses massive amounts of memory
+            repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
+            path = path[:e.start] + force_bytes(repercent) + path[e.end:]
+        else:
+            return path
 
 
 def filepath_to_uri(path):
author	Florian Apolloner <florian@apolloner.eu>	2019-07-19 17:04:53 +0200
committer	Carlton Gibson <carlton.gibson@noumenal.es>	2019-07-31 21:29:17 +0200
commit	869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79 (patch)
tree	dbadabbbb01d7b0526b1f802be11842f863e3c25 /django
parent	ed682a24fca774818542757651bfba576c3fc3ef (diff)