Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant().

Language codes are now parsed with a maximum length limit of 500 chars.

Thanks to MProgrammer for the report.

3 files changed, 40 insertions, 0 deletions

diff --git a/docs/ref/utils.txt b/docs/ref/utils.txt
index 9fb1e83e9e..65dc9952bc 100644
--- a/docs/ref/utils.txt
+++ b/docs/ref/utils.txt
@@ -1147,6 +1147,11 @@ For a complete discussion on the usage of the following see the
     ``lang_code`` is ``'es-ar'`` and ``'es'`` is in :setting:`LANGUAGES` but
     ``'es-ar'`` isn't.
 
+    ``lang_code`` has a maximum accepted length of 500 characters. A
+    :exc:`ValueError` is raised if ``lang_code`` exceeds this limit and
+    ``strict`` is ``True``, or if there is no generic variant and ``strict``
+    is ``False``.
+
     If ``strict`` is ``False`` (the default), a country-specific variant may
     be returned when neither the language code nor its generic variant is found.
     For example, if only ``'es-co'`` is in :setting:`LANGUAGES`, that's
@@ -1155,6 +1160,11 @@ For a complete discussion on the usage of the following see the
 
     Raises :exc:`LookupError` if nothing is found.
 
+    .. versionchanged:: 4.2.14
+
+        In older versions, ``lang_code`` values over 500 characters were
+        processed without raising a :exc:`ValueError`.
+
 .. function:: to_locale(language)
 
     Turns a language name (en-us) into a locale name (en_US).
diff --git a/docs/releases/4.2.14.txt b/docs/releases/4.2.14.txt
index dc20cd9f28..08523e27fd 100644
--- a/docs/releases/4.2.14.txt
+++ b/docs/releases/4.2.14.txt
@@ -32,3 +32,18 @@ directory-traversal via certain inputs when calling :meth:`save()
 <django.core.files.storage.Storage.save()>`.
 
 Built-in ``Storage`` sub-classes were not affected by this vulnerability.
+
+CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
+=================================================================================================
+
+:meth:`~django.utils.translation.get_supported_language_variant` was subject to
+a potential denial-of-service attack when used with very long strings
+containing specific characters.
+
+To mitigate this vulnerability, the language code provided to
+:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
+up to a maximum length of 500 characters.
+
+When the language code is over 500 characters, a :exc:`ValueError` will now be
+raised if ``strict`` is ``True``, or if there is no generic variant and
+``strict`` is ``False``.
diff --git a/docs/releases/5.0.7.txt b/docs/releases/5.0.7.txt
index c09e2d7040..148a2e25b3 100644
--- a/docs/releases/5.0.7.txt
+++ b/docs/releases/5.0.7.txt
@@ -33,6 +33,21 @@ directory-traversal via certain inputs when calling :meth:`save()
 
 Built-in ``Storage`` sub-classes were not affected by this vulnerability.
 
+CVE-2024-39614: Potential denial-of-service vulnerability in ``get_supported_language_variant()``
+=================================================================================================
+
+:meth:`~django.utils.translation.get_supported_language_variant` was subject to
+a potential denial-of-service attack when used with very long strings
+containing specific characters.
+
+To mitigate this vulnerability, the language code provided to
+:meth:`~django.utils.translation.get_supported_language_variant` is now parsed
+up to a maximum length of 500 characters.
+
+When the language code is over 500 characters, a :exc:`ValueError` will now be
+raised if ``strict`` is ``True``, or if there is no generic variant and
+``strict`` is ``False``.
+
 Bugfixes
 ========