diff --git a/Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch b/Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch new file mode 100644 index 0000000000000000000000000000000000000000..a13bdb74e8bb589dd9770de8ba69b5128f1c1124 --- /dev/null +++ b/Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch @@ -0,0 +1,25 @@ +From 3b41f0124194430da957b119712978fa2266b642 Mon Sep 17 00:00:00 2001 +From: Seokchan Yoon +Date: Fri, 14 Jun 2024 18:52:02 +0900 +Subject: [PATCH] Fix potential XSS vulnerability in break_long_headers + template filter (#9435) + +The header input is now properly escaped before splitting and joining with
tags. This prevents potential XSS attacks if the header contains unsanitized user input. +--- + rest_framework/templatetags/rest_framework.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py +index ccd9430..22f6f64 100644 +--- a/rest_framework/templatetags/rest_framework.py ++++ b/rest_framework/templatetags/rest_framework.py +@@ -318,5 +318,5 @@ def break_long_headers(header): + when possible (are comma separated) + """ + if len(header) > 160 and ',' in header: +- header = mark_safe('
' + ',
'.join(header.split(','))) ++ header = mark_safe('
' + ',
'.join(escape(header).split(','))) + return header +-- +2.43.0 + diff --git a/python-django-rest-framework.spec b/python-django-rest-framework.spec index 07e2b7a8b512418820d58bd2a12d69e369ceeb89..4c5427b111254b326ca9efbe7b4e178314d4ca4f 100644 --- a/python-django-rest-framework.spec +++ b/python-django-rest-framework.spec @@ -1,13 +1,14 @@ %global _empty_manifest_terminate_build 0 Name: python-django-rest-framework Version: 3.14.0 -Release: 1 +Release: 2 Summary: Web APIs for Django. License: BSD-3-Clause URL: https://github.com/encode/django-rest-framework Source0: https://github.com/encode/django-rest-framework/archive/refs/tags/3.14.0.tar.gz BuildArch: noarch +Patch01: Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch %description Django REST framework is a powerful and flexible toolkit for building Web APIs. @@ -27,7 +28,7 @@ Provides: python3-django-rest-framework-doc Django REST framework is a powerful and flexible toolkit for building Web APIs. %prep -%autosetup -n django-rest-framework-%{version} +%autosetup -n django-rest-framework-%{version} -p1 %build %py3_build @@ -67,6 +68,9 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Wed Sep 04 2024 yinyongkang - 3.14.0-2 +- Fix CVE-2024-21520 + * Wed Nov 16 2022 liqiuyu - 3.14.0-1 - Update package to version 3.14.0