From 1d9a07f88d0bbc54e119e82e4a9a99b0c82ac83f Mon Sep 17 00:00:00 2001
From: yinyongkang <yinyongkang@kylinos.cn>
Date: Wed, 4 Sep 2024 04:48:14 +0800
Subject: [PATCH] fix CVE-2024-21520

---
 ...1520-Fix-potential-XSS-vulnerability.patch | 25 +++++++++++++++++++
 python-django-rest-framework.spec             |  8 ++++--
 2 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch

diff --git a/Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch b/Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch
new file mode 100644
index 0000000..a13bdb7
--- /dev/null
+++ b/Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch
@@ -0,0 +1,25 @@
+From 3b41f0124194430da957b119712978fa2266b642 Mon Sep 17 00:00:00 2001
+From: Seokchan Yoon <ch4n3.yoon@gmail.com>
+Date: Fri, 14 Jun 2024 18:52:02 +0900
+Subject: [PATCH] Fix potential XSS vulnerability in break_long_headers
+ template filter (#9435)
+
+The header input is now properly escaped before splitting and joining with <br> tags. This prevents potential XSS attacks if the header contains unsanitized user input.
+---
+ rest_framework/templatetags/rest_framework.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/rest_framework/templatetags/rest_framework.py b/rest_framework/templatetags/rest_framework.py
+index ccd9430..22f6f64 100644
+--- a/rest_framework/templatetags/rest_framework.py
++++ b/rest_framework/templatetags/rest_framework.py
+@@ -318,5 +318,5 @@ def break_long_headers(header):
+     when possible (are comma separated)
+     """
+     if len(header) > 160 and ',' in header:
+-        header = mark_safe('<br> ' + ', <br>'.join(header.split(',')))
++        header = mark_safe('<br> ' + ', <br>'.join(escape(header).split(',')))
+     return header
+-- 
+2.43.0
+
diff --git a/python-django-rest-framework.spec b/python-django-rest-framework.spec
index 07e2b7a..4c5427b 100644
--- a/python-django-rest-framework.spec
+++ b/python-django-rest-framework.spec
@@ -1,13 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:		python-django-rest-framework
 Version:	3.14.0
-Release:	1
+Release:	2
 Summary:	Web APIs for Django. 
 License:	BSD-3-Clause
 URL:		https://github.com/encode/django-rest-framework
 Source0:	https://github.com/encode/django-rest-framework/archive/refs/tags/3.14.0.tar.gz
 BuildArch:	noarch
 
+Patch01:        Backport-CVE-2024-21520-Fix-potential-XSS-vulnerability.patch
 
 %description
 Django REST framework is a powerful and flexible toolkit for building Web APIs.
@@ -27,7 +28,7 @@ Provides:	python3-django-rest-framework-doc
 Django REST framework is a powerful and flexible toolkit for building Web APIs.
 
 %prep
-%autosetup -n django-rest-framework-%{version}
+%autosetup -n django-rest-framework-%{version} -p1
 
 %build
 %py3_build
@@ -67,6 +68,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Wed Sep 04 2024 yinyongkang <yinyongkang@kylinos.cn> - 3.14.0-2
+- Fix CVE-2024-21520
+
 * Wed Nov 16 2022 liqiuyu <liqiuyu@kylinos.cn> - 3.14.0-1
 - Update package to version 3.14.0
 
-- 
Gitee