diff mbox series

[meta-python,kirkstone,5/5] python3-django: implement group method for FakeMatch

Message ID 20260114073440.210915-5-skandigraun@gmail.com
State New
Headers show
Series [meta-python,kirkstone,1/5] python3-twisted: patch CVE-2022-24801 | expand

Commit Message

Gyorgy Sarvari Jan. 14, 2026, 7:34 a.m. UTC 
This change is for python3-django_2.2.28.

This patch is an extension for CVE-2024-27351.patch. The class that patch
introduced wasn't completely suitable for this version of the recipe, because
it was accessing a function of it that was not implemented (the upstream
version that introduced this class did not use that function, it is specific
to this old version).

This patch adds the missing implementation to avoid errors.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 ...implement-group-method-for-FakeMatch.patch | 42 +++++++++++++++++++
 .../python/python3-django_2.2.28.bb           |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch
diff mbox series

Patch

diff --git a/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch
new file mode 100644
index 0000000000..450788b0fc
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-django/0001-implement-group-method-for-FakeMatch.patch
@@ -0,0 +1,42 @@ 
+From c78be5dd9f1772a22f3094d8c2cfe56bfb45b122 Mon Sep 17 00:00:00 2001
+From: Gyorgy Sarvari <skandigraun@gmail.com>
+Date: Wed, 14 Jan 2026 00:24:12 +0100
+Subject: [PATCH] implement group method for FakeMatch
+
+FakeMatch class was introduced in a backported CVE patch for this
+recipe (CVE-2024-27351). These objects are later accessed in
+django/utils/text.py module, in Truncator._truncate_html() method.
+It is treated as a regex.search() object.
+
+This function, at the time when the upstream project introduced this
+CVE patch was using array-style access, with brackets, so it
+worked, because the FakeMatch class implements the __getitem__()
+method. However in version 2.x, it was using group() access to
+access the matches - which is not implemented for this class, making
+these accesses fail:
+
+AttributeError: 'FakeMatch' object has no attribute 'group'
+
+To avoid this issue, this patch implements this method for this class.
+
+Upstream-Status: Inappropriate [Backport-specific]
+
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ django/utils/text.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/django/utils/text.py b/django/utils/text.py
+index e104b60..5033937 100644
+--- a/django/utils/text.py
++++ b/django/utils/text.py
+@@ -66,6 +66,9 @@ class FakeMatch:
+     def __init__(self, text, end):
+         self._text, self._end = text, end
+ 
++    def group(self, n):
++        return self[n]
++
+ 
+ # ----- End security-related performance workaround -----
+ 
diff --git a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
index 72485295a7..3b5491cd5e 100644
--- a/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
+++ b/meta-python/recipes-devtools/python/python3-django_2.2.28.bb
@@ -35,6 +35,7 @@  SRC_URI += "file://CVE-2023-31047.patch \
             file://Fix-undefined-_lazy_re_compile.patch \
             file://Fix-missing-JSONField-in-django.db.mo.patch \
             file://0001-Fixed-35172-Fixed-intcomma-for-string-floats.patch \
+            file://0001-implement-group-method-for-FakeMatch.patch \
            "
 
 SRC_URI[sha256sum] = "0200b657afbf1bc08003845ddda053c7641b9b24951e52acd51f6abda33a7413"