+72
-5
lines changedFilter options
+72
-5
lines changed Original file line number Diff line number Diff line change
@@ -30,6 +30,11 @@
30 30
# magic gettext number to separate context from message
31 31
CONTEXT_SEPARATOR = "\x04"
32 32 33 +
# Maximum number of characters that will be parsed from the Accept-Language
34 +
# header to prevent possible denial of service or memory exhaustion attacks.
35 +
# About 10x longer than the longest value shown on MDN’s Accept-Language page.
36 +
ACCEPT_LANGUAGE_HEADER_MAX_LENGTH = 500
37 + 33 38
# Format of Accept-Language header values. From RFC 2616, section 14.4 and 3.9
34 39
# and RFC 3066, section 2.1
35 40
accept_language_re = _lazy_re_compile(
@@ -586,7 +591,7 @@ def get_language_from_request(request, check_path=False):
586 591 587 592 588 593
@functools.lru_cache(maxsize=1000)
589 -
def parse_accept_lang_header(lang_string):
594 +
def _parse_accept_lang_header(lang_string):
590 595
"""
591 596
Parse the lang_string, which is the body of an HTTP Accept-Language
592 597
header, and return a tuple of (lang, q-value), ordered by 'q' values.
@@ -608,3 +613,27 @@ def parse_accept_lang_header(lang_string):
608 613
result.append((lang, priority))
609 614
result.sort(key=lambda k: k[1], reverse=True)
610 615
return tuple(result)
616 + 617 + 618 +
def parse_accept_lang_header(lang_string):
619 +
"""
620 +
Parse the value of the Accept-Language header up to a maximum length.
621 + 622 +
The value of the header is truncated to a maximum length to avoid potential
623 +
denial of service and memory exhaustion attacks. Excessive memory could be
624 +
used if the raw value is very large as it would be cached due to the use of
625 +
functools.lru_cache() to avoid repetitive parsing of common header values.
626 +
"""
627 +
# If the header value doesn't exceed the maximum allowed length, parse it.
628 +
if len(lang_string) <= ACCEPT_LANGUAGE_HEADER_MAX_LENGTH:
629 +
return _parse_accept_lang_header(lang_string)
630 + 631 +
# If there is at least one comma in the value, parse up to the last comma
632 +
# before the max length, skipping any truncated parts at the end of the
633 +
# header value.
634 +
if (index := lang_string.rfind(",", 0, ACCEPT_LANGUAGE_HEADER_MAX_LENGTH)) > 0:
635 +
return _parse_accept_lang_header(lang_string[:index])
636 + 637 +
# Don't attempt to parse if there is only one language-range value which is
638 +
# longer than the maximum allowed length and so truncated.
639 +
return ()
Original file line number Diff line number Diff line change
@@ -6,4 +6,12 @@ Django 3.2.17 release notes
6 6 7 7
Django 3.2.17 fixes a security issue with severity "moderate" in 3.2.16.
8 8 9 -
...
9 +
CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
10 +
===========================================================================
11 + 12 +
The parsed values of ``Accept-Language`` headers are cached in order to avoid
13 +
repetitive parsing. This leads to a potential denial-of-service vector via
14 +
excessive memory usage if large header values are sent.
15 + 16 +
In order to avoid this vulnerability, the ``Accept-Language`` header is now
17 +
parsed up to a maximum length.
Original file line number Diff line number Diff line change
@@ -6,4 +6,12 @@ Django 4.0.9 release notes
6 6 7 7
Django 4.0.9 fixes a security issue with severity "moderate" in 4.0.8.
8 8 9 -
...
9 +
CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
10 +
===========================================================================
11 + 12 +
The parsed values of ``Accept-Language`` headers are cached in order to avoid
13 +
repetitive parsing. This leads to a potential denial-of-service vector via
14 +
excessive memory usage if large header values are sent.
15 + 16 +
In order to avoid this vulnerability, the ``Accept-Language`` header is now
17 +
parsed up to a maximum length.
Original file line number Diff line number Diff line change
@@ -4,8 +4,18 @@ Django 4.1.6 release notes
4 4 5 5
*February 1, 2023*
6 6 7 -
Django 4.1.6 fixes a security issue with severity "moderate" and several bugs
8 -
in 4.1.5.
7 +
Django 4.1.6 fixes a security issue with severity "moderate" and a bug in
8 +
4.1.5.
9 + 10 +
CVE-2023-23969: Potential denial-of-service via ``Accept-Language`` headers
11 +
===========================================================================
12 + 13 +
The parsed values of ``Accept-Language`` headers are cached in order to avoid
14 +
repetitive parsing. This leads to a potential denial-of-service vector via
15 +
excessive memory usage if large header values are sent.
16 + 17 +
In order to avoid this vulnerability, the ``Accept-Language`` header is now
18 +
parsed up to a maximum length.
9 19 10 20
Bugfixes
11 21
========
@@ -1730,6 +1730,14 @@ def test_parse_spec_http_header(self):
1730 1730
("de;q=0.", [("de", 0.0)]),
1731 1731
("en; q=1,", [("en", 1.0)]),
1732 1732
("en; q=1.0, * ; q=0.5", [("en", 1.0), ("*", 0.5)]),
1733 +
(
1734 +
"en" + "-x" * 20,
1735 +
[("en-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x", 1.0)],
1736 +
),
1737 +
(
1738 +
", ".join(["en; q=1.0"] * 20),
1739 +
[("en", 1.0)] * 20,
1740 +
),
1733 1741
# Bad headers
1734 1742
("en-gb;q=1.0000", []),
1735 1743
("en;q=0.1234", []),
@@ -1746,6 +1754,10 @@ def test_parse_spec_http_header(self):
1746 1754
("", []),
1747 1755
("en;q=1e0", []),
1748 1756
("en-au;q=1.0", []),
1757 +
# Invalid as language-range value too long.
1758 +
("xxxxxxxx" + "-xxxxxxxx" * 500, []),
1759 +
# Header value too long, only parse up to limit.
1760 +
(", ".join(["en; q=1.0"] * 500), [("en", 1.0)] * 45),
1749 1761
]
1750 1762
for value, expected in tests:
1751 1763
with self.subTest(value=value):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4