~ubuntu-branches/ubuntu/lucid/python-django/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-0480.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-09-10 13:07:32 UTC
  • Revision ID: package-import@ubuntu.com-20140910130732-ggo4hojqf9z22axy
Tags: 1.1.1-2ubuntu1.13
* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Backport of:
 
2
 
 
3
From c2fe73133b62a1d9e8f7a6b43966570b14618d7e Mon Sep 17 00:00:00 2001
 
4
From: Florian Apolloner <florian@apolloner.eu>
 
5
Date: Thu, 17 Jul 2014 21:59:28 +0200
 
6
Subject: [PATCH] [1.4.x] Prevented reverse() from generating URLs pointing to
 
7
 other hosts.
 
8
 
 
9
This is a security fix. Disclosure following shortly.
 
10
---
 
11
 django/core/urlresolvers.py                        |  2 ++
 
12
 docs/releases/1.4.14.txt                           | 13 +++++++++++++
 
13
 tests/regressiontests/urlpatterns_reverse/tests.py |  3 +++
 
14
 tests/regressiontests/urlpatterns_reverse/urls.py  |  3 +++
 
15
 4 files changed, 21 insertions(+)
 
16
 
 
17
Index: python-django-1.1.1/django/core/urlresolvers.py
 
18
===================================================================
 
19
--- python-django-1.1.1.orig/django/core/urlresolvers.py        2014-09-10 12:55:45.226841390 -0400
 
20
+++ python-django-1.1.1/django/core/urlresolvers.py     2014-09-10 12:55:45.222841390 -0400
 
21
@@ -310,6 +310,8 @@
 
22
                     unicode_kwargs = dict([(k, force_unicode(v)) for (k, v) in kwargs.items()])
 
23
                     candidate = result % unicode_kwargs
 
24
                 if re.search(u'^%s' % pattern, candidate, re.UNICODE):
 
25
+                    if candidate.startswith('/'):
 
26
+                        candidate = '%%2F%s' % candidate[1:]
 
27
                     return candidate
 
28
         # lookup_view can be URL label, or dotted path, or callable, Any of
 
29
         # these can be passed in at the top, but callables are not friendly in
 
30
Index: python-django-1.1.1/tests/regressiontests/urlpatterns_reverse/tests.py
 
31
===================================================================
 
32
--- python-django-1.1.1.orig/tests/regressiontests/urlpatterns_reverse/tests.py 2014-09-10 12:55:45.226841390 -0400
 
33
+++ python-django-1.1.1/tests/regressiontests/urlpatterns_reverse/tests.py      2014-09-10 12:55:45.222841390 -0400
 
34
@@ -100,8 +100,10 @@
 
35
     ('kwargs_view', '/arg_view/10/', [], {'arg1':10}),
 
36
     ('regressiontests.urlpatterns_reverse.views.absolute_kwargs_view', '/absolute_arg_view/', [], {}),
 
37
     ('regressiontests.urlpatterns_reverse.views.absolute_kwargs_view', '/absolute_arg_view/10/', [], {'arg1':10}),
 
38
-    ('non_path_include', '/includes/non_path_include/', [], {})
 
39
+    ('non_path_include', '/includes/non_path_include/', [], {}),
 
40
 
 
41
+    # Security tests
 
42
+    ('security', '/%2Fexample.com/security/', ['/example.com'], {}),
 
43
 )
 
44
 
 
45
 class URLPatternReverse(TestCase):
 
46
Index: python-django-1.1.1/tests/regressiontests/urlpatterns_reverse/urls.py
 
47
===================================================================
 
48
--- python-django-1.1.1.orig/tests/regressiontests/urlpatterns_reverse/urls.py  2014-09-10 12:55:45.226841390 -0400
 
49
+++ python-django-1.1.1/tests/regressiontests/urlpatterns_reverse/urls.py       2014-09-10 12:55:45.222841390 -0400
 
50
@@ -63,6 +63,9 @@
 
51
     
 
52
     url('^includes/', include(other_patterns)),
 
53
 
 
54
+    # Security tests
 
55
+    url('(.+)/security/$', empty_view, name='security'),
 
56
+
 
57
 )
 
58
 
 
59