Merge tag 'debian/3%4.2.20-1' into debian/bookworm-backports

tagging package python-django version debian/3%4.2.20-1

Merge tag 'debian/3%4.2.20-1' into debian/bookworm-backports
66ed02e3 · Colin Watson · 46026775 · 2a94486b · 66ed02e3 · 66ed02e3
Commit 66ed02e3 authored 3 months ago by Colin Watson
--- a/Django.egg-info/PKG-INFO
+++ b/Django.egg-info/PKG-INFO
 Metadata-Version: 2.1
 Name: Django
-Version: 4.2.19
+Version: 4.2.20
 Summary: A high-level Python web framework that encourages rapid development and clean, pragmatic design.
 Home-page: https://www.djangoproject.com/
 Author: Django Software Foundation

--- a/Django.egg-info/SOURCES.txt
+++ b/Django.egg-info/SOURCES.txt
@@ -4205,6 +4205,7 @@ docs/releases/4.2.17.txt
 docs/releases/4.2.18.txt
 docs/releases/4.2.19.txt
 docs/releases/4.2.2.txt
+docs/releases/4.2.20.txt
 docs/releases/4.2.3.txt
 docs/releases/4.2.4.txt
 docs/releases/4.2.5.txt

--- a/PKG-INFO
+++ b/PKG-INFO
 Metadata-Version: 2.1
 Name: Django
-Version: 4.2.19
+Version: 4.2.20
 Summary: A high-level Python web framework that encourages rapid development and clean, pragmatic design.
 Home-page: https://www.djangoproject.com/
 Author: Django Software Foundation

--- a/debian/changelog
+++ b/debian/changelog
-python-django (3:4.2.19-1~bpo12+1) bookworm-backports; urgency=medium
+python-django (3:4.2.20-1~bpo12+1) bookworm-backports; urgency=medium

  * Rebuild for bookworm-backports.

- -- Colin Watson <cjwatson@debian.org>  Sun, 02 Mar 2025 15:58:40 +0000
+ -- Colin Watson <cjwatson@debian.org>  Tue, 08 Apr 2025 15:19:16 +0100
+
+python-django (3:4.2.20-1) unstable; urgency=high
+
+  * New upstream security release:
+
+    - CVE-2025-26699: Address a potential denial-of-service in
+      django.utils.text.wrap. The wrap() method and wordwrap template filter
+      were subject to a potential denial-of-service attack when used with very
+      long strings. (Closes: #1099682)
+
+    <https://www.djangoproject.com/weblog/2025/mar/06/security-releases/>
+
+ -- Chris Lamb <lamby@debian.org>  Thu, 06 Mar 2025 17:55:06 +0000

 python-django (3:4.2.19-1) unstable; urgency=medium


--- a/django/__init__.py
+++ b/django/__init__.py
 from django.utils.version import get_version

-VERSION = (4, 2, 19, "final", 0)
+VERSION = (4, 2, 20, "final", 0)

 __version__ = get_version(VERSION)


--- a/django/utils/text.py
+++ b/django/utils/text.py
 import gzip
 import re
 import secrets
+import textwrap
 import unicodedata
 from gzip import GzipFile
 from gzip import compress as gzip_compress
@@ -97,24 +98,15 @@ def wrap(text, width):
    ``width``.
    """

-    def _generator():
-        for line in text.splitlines(True):  # True keeps trailing linebreaks
-            max_width = min((line.endswith("\n") and width + 1 or width), width)
-            while len(line) > max_width:
-                space = line[: max_width + 1].rfind(" ") + 1
-                if space == 0:
-                    space = line.find(" ") + 1
-                    if space == 0:
-                        yield line
-                        line = ""
-                        break
-                yield "%s\n" % line[: space - 1]
-                line = line[space:]
-                max_width = min((line.endswith("\n") and width + 1 or width), width)
-            if line:
-                yield line
-
-    return "".join(_generator())
+    wrapper = textwrap.TextWrapper(
+        width=width,
+        break_long_words=False,
+        break_on_hyphens=False,
+    )
+    result = []
+    for line in text.splitlines(True):
+        result.extend(wrapper.wrap(line))
+    return "\n".join(result)


 class Truncator(SimpleLazyObject):

--- a/docs/releases/4.2.20.txt
+++ b/docs/releases/4.2.20.txt
+===========================
+Django 4.2.20 release notes
+===========================
+
+*March 6, 2025*
+
+Django 4.2.20 fixes a security issue with severity "moderate" in 4.2.19.
+
+CVE-2025-26699: Potential denial-of-service vulnerability in ``django.utils.text.wrap()``
+=========================================================================================
+
+The ``wrap()`` and :tfilter:`wordwrap` template filter were subject to a
+potential denial-of-service attack when used with very long strings.
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
   :maxdepth: 1

+   4.2.20
   4.2.19
   4.2.18
   4.2.17

--- a/tests/template_tests/filter_tests/test_wordwrap.py
+++ b/tests/template_tests/filter_tests/test_wordwrap.py
@@ -78,3 +78,14 @@ class FunctionTests(SimpleTestCase):
            "this is a long\nparagraph of\ntext that\nreally needs\nto be wrapped\n"
            "I'm afraid",
        )
+
+    def test_wrap_long_text(self):
+        long_text = (
+            "this is a long paragraph of text that really needs"
+            " to be wrapped I'm afraid " * 20_000
+        )
+        self.assertIn(
+            "this is a\nlong\nparagraph\nof text\nthat\nreally\nneeds to\nbe wrapped\n"
+            "I'm afraid",
+            wordwrap(long_text, 10),
+        )