~ubuntu-branches/ubuntu/lucid/python-django/lucid-security

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-0482.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-09-10 13:07:32 UTC
  • Revision ID: package-import@ubuntu.com-20140910130732-ggo4hojqf9z22axy
Tags: 1.1.1-2ubuntu1.13
* SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse
  - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating
    URLs pointing to other hosts in django/core/urlresolvers.py, added
    tests to tests/regressiontests/urlpatterns_reverse/{tests,urls}.py.
  - CVE-2014-0480
* SECURITY UPDATE: denial of service via file upload handling
  - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in
    django/core/files/storage.py, updated docs in
    docs/howto/custom-file-storage.txt, added tests to
    tests/modeltests/files/models.py,
    tests/regressiontests/file_storage/tests.py, backport
    get_random_string() to django/utils/crypto.py.
  - CVE-2014-0481
* SECURITY UPDATE: web session hijack via REMOTE_USER header
  - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to
    logout on REMOTE_USE change in django/contrib/auth/middleware.py,
    added test to django/contrib/auth/tests/remote_user.py.
  - CVE-2014-0482
* SECURITY UPDATE: data leak in contrib.admin via query string manipulation
  - debian/patches/CVE-2014-0483.patch: validate to_field in
    django/contrib/admin/{options,exceptions}.py,
    django/contrib/admin/views/main.py, added tests to
    tests/regressiontests/admin_views/tests.py.
  - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in
    django/contrib/admin/options.py, added tests to
    tests/regressiontests/admin_views/{models,tests}.py.
  - CVE-2014-0483
* debian/patches/fix_invalid_link_ftbfs.patch: remove test causing FTBFS.

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
Backport of:
 
2
 
 
3
From c9e3b9949cd55f090591fbdc4a114fcb8368b6d9 Mon Sep 17 00:00:00 2001
 
4
From: Preston Holmes <preston@ptone.com>
 
5
Date: Mon, 11 Aug 2014 12:04:53 -0400
 
6
Subject: [PATCH] [1.4.x] Fixed #23066 -- Modified RemoteUserMiddleware to
 
7
 logout on REMOTE_USE change.
 
8
 
 
9
This is a security fix. Disclosure following shortly.
 
10
---
 
11
 django/contrib/auth/middleware.py        | 28 +++++++++++++++++++++++++---
 
12
 django/contrib/auth/tests/remote_user.py | 18 ++++++++++++++++++
 
13
 docs/releases/1.4.14.txt                 |  9 +++++++++
 
14
 3 files changed, 52 insertions(+), 3 deletions(-)
 
15
 
 
16
Index: python-django-1.3.1/django/contrib/auth/middleware.py
 
17
===================================================================
 
18
--- python-django-1.3.1.orig/django/contrib/auth/middleware.py  2014-09-09 14:22:24.380826742 -0400
 
19
+++ python-django-1.3.1/django/contrib/auth/middleware.py       2014-09-09 14:22:24.376826742 -0400
 
20
@@ -1,4 +1,5 @@
 
21
 from django.contrib import auth
 
22
+from django.contrib.auth.backends import RemoteUserBackend
 
23
 from django.core.exceptions import ImproperlyConfigured
 
24
 
 
25
 
 
26
@@ -48,9 +49,11 @@
 
27
         try:
 
28
             username = request.META[self.header]
 
29
         except KeyError:
 
30
-            # If specified header doesn't exist then return (leaving
 
31
-            # request.user set to AnonymousUser by the
 
32
-            # AuthenticationMiddleware).
 
33
+            # If specified header doesn't exist then remove any existing
 
34
+            # authenticated remote-user, or return (leaving request.user set to
 
35
+            # AnonymousUser by the AuthenticationMiddleware).
 
36
+            if request.user.is_authenticated():
 
37
+                self._remove_invalid_user(request)
 
38
             return
 
39
         # If the user is already authenticated and that user is the user we are
 
40
         # getting passed in the headers, then the correct user is already
 
41
@@ -58,6 +61,11 @@
 
42
         if request.user.is_authenticated():
 
43
             if request.user.username == self.clean_username(username, request):
 
44
                 return
 
45
+            else:
 
46
+                # An authenticated user is associated with the request, but
 
47
+                # it does not match the authorized user in the header.
 
48
+                self._remove_invalid_user(request)
 
49
+
 
50
         # We are seeing this user for the first time in this session, attempt
 
51
         # to authenticate the user.
 
52
         user = auth.authenticate(remote_user=username)
 
53
@@ -79,3 +87,17 @@
 
54
         except AttributeError: # Backend has no clean_username method.
 
55
             pass
 
56
         return username
 
57
+
 
58
+    def _remove_invalid_user(self, request):
 
59
+        """
 
60
+        Removes the current authenticated user in the request which is invalid
 
61
+        but only if the user is authenticated via the RemoteUserBackend.
 
62
+        """
 
63
+        try:
 
64
+            stored_backend = auth.load_backend(request.session.get(auth.BACKEND_SESSION_KEY, ''))
 
65
+        except ImproperlyConfigured:
 
66
+            # backend failed to load
 
67
+            auth.logout(request)
 
68
+        else:
 
69
+            if isinstance(stored_backend, RemoteUserBackend):
 
70
+                auth.logout(request)
 
71
Index: python-django-1.3.1/django/contrib/auth/tests/remote_user.py
 
72
===================================================================
 
73
--- python-django-1.3.1.orig/django/contrib/auth/tests/remote_user.py   2014-09-09 14:22:24.380826742 -0400
 
74
+++ python-django-1.3.1/django/contrib/auth/tests/remote_user.py        2014-09-09 14:22:24.376826742 -0400
 
75
@@ -92,6 +92,24 @@
 
76
         response = self.client.get('/remote_user/', REMOTE_USER=self.known_user)
 
77
         self.assertEqual(default_login, response.context['user'].last_login)
 
78
 
 
79
+    def test_user_switch_forces_new_login(self):
 
80
+        """
 
81
+        Tests that if the username in the header changes between requests
 
82
+        that the original user is logged out
 
83
+        """
 
84
+        User.objects.create(username='knownuser')
 
85
+        # Known user authenticates
 
86
+        response = self.client.get('/remote_user/',
 
87
+                                   **{'REMOTE_USER': self.known_user})
 
88
+        self.assertEqual(response.context['user'].username, 'knownuser')
 
89
+        # During the session, the REMOTE_USER changes to a different user.
 
90
+        response = self.client.get('/remote_user/',
 
91
+                                   **{'REMOTE_USER': "newnewuser"})
 
92
+        # Ensure that the current user is not the prior remote_user
 
93
+        # In backends that create a new user, username is "newnewuser"
 
94
+        # In backends that do not create new users, it is '' (anonymous user)
 
95
+        self.assertNotEqual(response.context['user'].username, 'knownuser')
 
96
+
 
97
     def tearDown(self):
 
98
         """Restores settings to avoid breaking other tests."""
 
99
         settings.MIDDLEWARE_CLASSES = self.curr_middleware