A RetroSearch Logo

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Search Query:

Showing content from https://github.com/django/django/commit/4452642f193533e288a52c02efb5bbc766a68f95 below:

[4.0.x] Fixed CVE-2023-23969 -- Prevented DoS with pathological value… · django/django@4452642 · GitHub

File tree Expand file treeCollapse file tree 4 files changed

+61

-3

lines changed

Filter options

Expand file treeCollapse file tree 4 files changed

+61

-3

lines changed Original file line number Diff line number Diff line change

@@ -30,6 +30,11 @@

 30 30

# magic gettext number to separate context from message

 31 31

CONTEXT_SEPARATOR = "\x04"

 32 32 33 +

# Maximum number of characters that will be parsed from the Accept-Language

 34 +

# header to prevent possible denial of service or memory exhaustion attacks.

 35 +

# About 10x longer than the longest value shown on MDN’s Accept-Language page.

 36 +

ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500

 37 + 33 38

# Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9

 34 39

# and RFC 3066, section 2.1

 35 40

accept_language_re = _lazy_re_compile(

@@ -585,7 +590,7 @@ def get_language_from_request(request, check_path=False):

 585 590 586 591 587 592

@functools.lru_cache(maxsize=1000)

 588 -

def parse_accept_lang_header(lang_string):

 593 +

def _parse_accept_lang_header(lang_string):

 589 594

"""

 590 595

Parse the lang_string, which is the body of an HTTP Accept-Language

 591 596

header, and return a tuple of (lang, q-value), ordered by 'q' values.

@@ -607,3 +612,27 @@ def parse_accept_lang_header(lang_string):

 607 612

result.append((lang, priority))

 608 613

result.sort(key=lambda k: k[1], reverse=True)

 609 614

return tuple(result)

 615 + 616 + 617 +

def parse_accept_lang_header(lang_string):

 618 +

"""

 619 +

Parse the value of the Accept-Language header up to a maximum length.

 620 + 621 +

The value of the header is truncated to a maximum length to avoid potential

 622 +

denial of service and memory exhaustion attacks. Excessive memory could be

 623 +

used if the raw value is very large as it would be cached due to the use of

 624 +

functools.lru_cache() to avoid repetitive parsing of common header values.

 625 +

"""

 626 +

# If the header value doesn't exceed the maximum allowed length, parse it.

 627 +

if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:

 628 +

return _parse_accept_lang_header(lang_string)

 629 + 630 +

# If there is at least one comma in the value, parse up to the last comma

 631 +

# before the max length, skipping any truncated parts at the end of the

 632 +

# header value.

 633 +

if (index := lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)) > 0:

 634 +

return _parse_accept_lang_header(lang_string[:index])

 635 + 636 +

# Don't attempt to parse if there is only one language-range value which is

 637 +

# longer than the maximum allowed length and so truncated.

 638 +

return ()

 Original file line number Diff line number Diff line change

@@ -6,4 +6,12 @@ Django 3.2.17 release notes

 6 6 7 7

Django 3.2.17 fixes a security issue with severity "moderate" in 3.2.16.

 8 8 9 -

...

 9 +

CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers

 10 +

===========================================================================

 11 + 12 +

The parsed values of ``Accept-Language`` headers are cached in order to avoid

 13 +

repetitive parsing. This leads to a potential denial-of-service vector via

 14 +

excessive memory usage if large header values are sent.

 15 + 16 +

In order to avoid this vulnerability, the ``Accept-Language`` header is now

 17 +

parsed up to a maximum length.

 Original file line number Diff line number Diff line change

@@ -6,4 +6,12 @@ Django 4.0.9 release notes

 6 6 7 7

Django 4.0.9 fixes a security issue with severity "moderate" in 4.0.8.

 8 8 9 -

...

 9 +

CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers

 10 +

===========================================================================

 11 + 12 +

The parsed values of ``Accept-Language`` headers are cached in order to avoid

 13 +

repetitive parsing. This leads to a potential denial-of-service vector via

 14 +

excessive memory usage if large header values are sent.

 15 + 16 +

In order to avoid this vulnerability, the ``Accept-Language`` header is now

 17 +

parsed up to a maximum length.

 Original file line number Diff line number Diff line change

@@ -1728,6 +1728,14 @@ def test_parse_spec_http_header(self):

 1728 1728

("de;q=0.", [("de", 0.0)]),

 1729 1729

("en; q=1,", [("en", 1.0)]),

 1730 1730

("en; q=1.0, * ; q=0.5", [("en", 1.0), ("*", 0.5)]),

 1731 +

(

 1732 +

"en" + "-x" * 20,

 1733 +

[("en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x", 1.0)],

 1734 +

),

 1735 +

(

 1736 +

", ".join(["en; q=1.0"] * 20),

 1737 +

[("en", 1.0)] * 20,

 1738 +

),

 1731 1739

# Bad headers

 1732 1740

("en-gb;q=1.0000", []),

 1733 1741

("en;q=0.1234", []),

@@ -1743,6 +1751,11 @@ def test_parse_spec_http_header(self):

 1743 1751

("12-345", []),

 1744 1752

("", []),

 1745 1753

("en;q=1e0", []),

 1754 +

("en-au;q=1.0", []),

 1755 +

# Invalid as language-range value too long.

 1756 +

("xxxxxxxx" + "-xxxxxxxx" * 500, []),

 1757 +

# Header value too long, only parse up to limit.

 1758 +

(", ".join(["en; q=1.0"] * 500), [("en", 1.0)] * 45),

 1746 1759

]

 1747 1760

for value, expected in tests:

 1748 1761

with self.subTest(value=value):

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4