+52
-9
lines changedFilter options
+52
-9
lines changed Original file line number Diff line number Diff line change
@@ -225,13 +225,16 @@ def repercent_broken_unicode(path):
225 225
repercent-encode any octet produced that is not part of a strictly legal
226 226
UTF-8 octet sequence.
227 227
"""
228 -
try:
229 -
path.decode()
230 -
except UnicodeDecodeError as e:
231 -
repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
232 -
path = repercent_broken_unicode(
233 -
path[:e.start] + force_bytes(repercent) + path[e.end:])
234 -
return path
228 +
while True:
229 +
try:
230 +
path.decode()
231 +
except UnicodeDecodeError as e:
232 +
# CVE-2019-14235: A recursion shouldn't be used since the exception
233 +
# handling uses massive amounts of memory
234 +
repercent = quote(path[e.start:e.end], safe=b"/#%[]=:;$&()+,!?*@'~")
235 +
path = path[:e.start] + force_bytes(repercent) + path[e.end:]
236 +
else:
237 +
return path
235 238 236 239 237 240
def filepath_to_uri(path):
@@ -45,3 +45,13 @@ CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONFie
45 45
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
46 46
were subject to SQL injection, using a suitably crafted dictionary, with
47 47
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
48 + 49 +
CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
50 +
=====================================================================================
51 + 52 +
If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
53 +
to significant memory usage due to excessive recursion when re-percent-encoding
54 +
invalid UTF-8 octet sequences.
55 + 56 +
``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
57 +
octet sequences.
Original file line number Diff line number Diff line change
@@ -45,3 +45,13 @@ CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONFie
45 45
<hstorefield.key>` for :class:`~django.contrib.postgres.fields.HStoreField`
46 46
were subject to SQL injection, using a suitably crafted dictionary, with
47 47
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
48 + 49 +
CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
50 +
=====================================================================================
51 + 52 +
If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
53 +
to significant memory usage due to excessive recursion when re-percent-encoding
54 +
invalid UTF-8 octet sequences.
55 + 56 +
``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
57 +
octet sequences.
Original file line number Diff line number Diff line change
@@ -46,6 +46,16 @@ CVE-2019-14234: SQL injection possibility in key and index lookups for ``JSONFie
46 46
were subject to SQL injection, using a suitably crafted dictionary, with
47 47
dictionary expansion, as the ``**kwargs`` passed to ``QuerySet.filter()``.
48 48 49 +
CVE-2019-14235: Potential memory exhaustion in ``django.utils.encoding.uri_to_iri()``
50 +
=====================================================================================
51 + 52 +
If passed certain inputs, :func:`django.utils.encoding.uri_to_iri` could lead
53 +
to significant memory usage due to excessive recursion when re-percent-encoding
54 +
invalid UTF-8 octet sequences.
55 + 56 +
``uri_to_iri()`` now avoids recursion when re-percent-encoding invalid UTF-8
57 +
octet sequences.
58 + 49 59
Bugfixes
50 60
========
51 61
@@ -1,13 +1,14 @@
1 1
import datetime
2 +
import sys
2 3
import unittest
3 4
from unittest import mock
4 5
from urllib.parse import quote_plus
5 6 6 7
from django.test import SimpleTestCase
7 8
from django.utils.encoding import (
8 9
DjangoUnicodeDecodeError, escape_uri_path, filepath_to_uri, force_bytes,
9 -
force_text, get_system_encoding, iri_to_uri, smart_bytes, smart_text,
10 -
uri_to_iri,
10 +
force_text, get_system_encoding, iri_to_uri, repercent_broken_unicode,
11 +
smart_bytes, smart_text, uri_to_iri,
11 12
)
12 13
from django.utils.functional import SimpleLazyObject
13 14
from django.utils.translation import gettext_lazy
@@ -90,6 +91,15 @@ def test_get_default_encoding(self):
90 91
with mock.patch('locale.getdefaultlocale', side_effect=Exception):
91 92
self.assertEqual(get_system_encoding(), 'ascii')
92 93 94 +
def test_repercent_broken_unicode_recursion_error(self):
95 +
# Prepare a string long enough to force a recursion error if the tested
96 +
# function uses recursion.
97 +
data = b'\xfc' * sys.getrecursionlimit()
98 +
try:
99 +
self.assertEqual(repercent_broken_unicode(data), b'%FC' * sys.getrecursionlimit())
100 +
except RecursionError:
101 +
self.fail('Unexpected RecursionError raised.')
102 + 93 103 94 104
class TestRFC3987IEncodingUtils(unittest.TestCase):
95 105 You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4