control: tags -1 patch pending debdiff python-django/python-django_3.2.20-1.dsc python-django/python-django_3.2.20-1.1.dsc dpkg-source: warning: extracting unsigned source package (/tmp/merges/python-django/python-django_3.2.20-1.1.dsc) diff -Nru python-django-3.2.20/debian/changelog python-django-3.2.20/debian/changelog --- python-django-3.2.20/debian/changelog 2023-07-03 21:34:24.000000000 +0200 +++ python-django-3.2.20/debian/changelog 2023-07-04 09:31:10.000000000 +0200 @@ -1,3 +1,14 @@ +python-django (3:3.2.20-1.1) unstable; urgency=high + + [ Gianfranco Costamagna ] + * Non-maintainer upload. + + [ Graham Inggs ] + * Cherry-pick upstream commit to fix URLValidator crash in + some edge cases (LP: #2025155, Closes: #1037920) + + -- Gianfranco Costamagna <locutusofb...@debian.org> Tue, 04 Jul 2023 09:31:10 +0200 + python-django (3:3.2.20-1) unstable; urgency=high* New upstream security release:
diff -Nru python-django-3.2.20/debian/patches/fix-url-validator.patch python-django-3.2.20/debian/patches/fix-url-validator.patch --- python-django-3.2.20/debian/patches/fix-url-validator.patch 1970-01-01 01:00:00.000000000 +0100 +++ python-django-3.2.20/debian/patches/fix-url-validator.patch 2023-07-04 09:31:06.000000000 +0200 @@ -0,0 +1,46 @@ +Description: Fixed URLValidator crash in some edge cases +Origin: upstream, https://github.com/django/django/commit/e8b4feddc34ffe5759ec21da8fa027e86e653f1c +Bug: https://code.djangoproject.com/ticket/33367 +Author: Pedro Schlickmann Mendes <windowsxpe...@gmail.com> +Last-Update: 2021-12-15 + +--- a/django/core/validators.py ++++ b/django/core/validators.py +@@ -111,14 +111,15 @@ + + # Then check full URL + try: ++ splitted_url = urlsplit(value) ++ except ValueError: ++ raise ValidationError(self.message, code=self.code, params={'value': value}) ++ try: + super().__call__(value) + except ValidationError as e: + # Trivial case failed. Try for possible IDN domain + if value: +- try: +- scheme, netloc, path, query, fragment = urlsplit(value) +- except ValueError: # for example, "Invalid IPv6 URL" +- raise ValidationError(self.message, code=self.code, params={'value': value}) ++ scheme, netloc, path, query, fragment = splitted_url + try: + netloc = punycode(netloc) # IDN -> ACE + except UnicodeError: # invalid domain part +@@ -129,7 +130,7 @@ + raise + else: + # Now verify IPv6 in the netloc part +- host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', urlsplit(value).netloc) ++ host_match = re.search(r'^\[(.+)\](?::\d{2,5})?$', splitted_url.netloc) + if host_match: + potential_ip = host_match[1] + try: +@@ -141,7 +142,7 @@ + # section 3.1. It's defined to be 255 bytes or less, but this includes + # one byte for the length of the name and one byte for the trailing dot + # that's used to indicate absolute names in DNS. +- if len(urlsplit(value).hostname) > 253: ++ if splitted_url.hostname is None or len(splitted_url.hostname) > 253: + raise ValidationError(self.message, code=self.code, params={'value': value}) + + diff -Nru python-django-3.2.20/debian/patches/series python-django-3.2.20/debian/patches/series --- python-django-3.2.20/debian/patches/series 2023-07-03 21:34:24.000000000 +0200 +++ python-django-3.2.20/debian/patches/series 2023-07-04 00:58:11.000000000 +0200 @@ -9,3 +9,4 @@ 0009-Fixed-33282-Fixed-a-crash-when-OR-ing-subquery-and-a.patch 0011-Moved-RequestSite-import-to-the-toplevel.patch 0012-Add-Python-3.11-support-for-tests.patch +fix-url-validator.patch
Uploaded. On Thu, 29 Jun 2023 07:32:07 +0000 Graham Inggs <gin...@debian.org> wrote:
Control: tags -1 + fixed-upstream patch Hi Maintainer Please find attached, a patch that was applied in Ubuntu to address this issue. Regards Graham
OpenPGP_signature
Description: OpenPGP digital signature
