[4.1.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().

Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report. Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-08-22 08:53:03 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2023-09-04 12:14:21 +0200
commit: ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0 (patch)
tree: 4b93acd6125b01d60e39c795cbcbd206d26fe21b /django
parent: 52533346d221fa57b676056418c0e0d9342a2d67 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/django/utils/encoding.py b/django/utils/encoding.py
index 360eb91ed5..5eb14d0933 100644
--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
@@ -220,6 +220,7 @@ def repercent_broken_unicode(path):
     repercent-encode any octet produced that is not part of a strictly legal
     UTF-8 octet sequence.
     """
+    changed_parts = []
     while True:
         try:
             path.decode()
@@ -227,9 +228,10 @@ def repercent_broken_unicode(path):
             # CVE-2019-14235: A recursion shouldn't be used since the exception
             # handling uses massive amounts of memory
             repercent = quote(path[e.start : e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
-            path = path[: e.start] + repercent.encode() + path[e.end :]
+            changed_parts.append(path[: e.start] + repercent.encode())
+            path = path[e.end :]
         else:
-            return path
+            return b"".join(changed_parts) + path
 
 
 def filepath_to_uri(path):
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-08-22 08:53:03 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2023-09-04 12:14:21 +0200
commit	ba00bc5ec6a7eff5e08be438f7b5b0e9574e8ff0 (patch)
tree	4b93acd6125b01d60e39c795cbcbd206d26fe21b /django
parent	52533346d221fa57b676056418c0e0d9342a2d67 (diff)