← Back to branch summary

~ubuntu-branches/ubuntu/saucy/python-django/saucy-updates

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-0472-regression.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-04-22 23:12:52 UTC
  • Revision ID: package-import@ubuntu.com-20140422231252-8cu8s89mk8mik8ac
Tags: 1.5.4-1ubuntu1.2
https://launchpad.net/bugs/1311433
* SECURITY REGRESSION: security fix regression when a view is a partial
  (LP: #1311433)
  - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str
    from the original function whenever a partial is provided as an
    argument to a url pattern in django/core/urlresolvers.py,
    added tests to tests/regressiontests/urlpatterns_reverse/urls.py,
    tests/regressiontests/urlpatterns_reverse/views.py.
  - CVE-2014-0472

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2014-0472-regression.patch
 
1
Backport of:
 
2
 
 
3
From b63ae5c60619a257ad57cf6043e71f681283e47b Mon Sep 17 00:00:00 2001
 
4
From: Preston Timmons <prestontimmons@gfa.org>
 
5
Date: Tue, 22 Apr 2014 20:19:46 +0000
 
6
Subject: [PATCH] Fixed #22486 -- Reverse raises AttributeError on partial
 
7
 functions.
 
8
 
 
9
Create the lookup_str from the original function whenever a partial
 
10
is provided as an argument to a url pattern.
 
11
---
 
12
 django/core/urlresolvers.py        |  4 ++++
 
13
 tests/urlpatterns_reverse/urls.py  |  6 +++++-
 
14
 tests/urlpatterns_reverse/views.py | 10 ++++++++++
 
15
 3 files changed, 19 insertions(+), 1 deletion(-)
 
16
 
 
17
Index: python-django-1.5.4/django/core/urlresolvers.py
 
18
===================================================================
 
19
--- python-django-1.5.4.orig/django/core/urlresolvers.py        2014-04-22 23:11:17.740353457 -0400
 
20
+++ python-django-1.5.4/django/core/urlresolvers.py     2014-04-22 23:11:48.292353952 -0400
 
21
@@ -8,6 +8,7 @@
 
22
 """
 
23
 from __future__ import unicode_literals
 
24
 
 
25
+import functools
 
26
 import re
 
27
 from threading import local
 
28
 
 
29
@@ -269,6 +270,9 @@
 
30
                 self._callback_strs.add(pattern._callback_str)
 
31
             elif hasattr(pattern, '_callback'):
 
32
                 callback = pattern._callback
 
33
+                if isinstance(callback, functools.partial):
 
34
+                    callback = callback.func
 
35
+
 
36
                 if not hasattr(callback, '__name__'):
 
37
                     lookup_str = callback.__module__ + "." + callback.__class__.__name__
 
38
                 else:
 
39
Index: python-django-1.5.4/tests/regressiontests/urlpatterns_reverse/urls.py
 
40
===================================================================
 
41
--- python-django-1.5.4.orig/tests/regressiontests/urlpatterns_reverse/urls.py  2014-04-22 23:11:17.740353457 -0400
 
42
+++ python-django-1.5.4/tests/regressiontests/urlpatterns_reverse/urls.py       2014-04-22 23:12:02.688354185 -0400
 
43
@@ -2,7 +2,7 @@
 
44
 
 
45
 from django.conf.urls import patterns, url, include
 
46
 
 
47
-from .views import empty_view, absolute_kwargs_view
 
48
+from .views import empty_view, empty_view_partial, empty_view_wrapped, absolute_kwargs_view
 
49
 
 
50
 
 
51
 other_patterns = patterns('',
 
52
@@ -53,6 +53,10 @@
 
53
             include('regressiontests.urlpatterns_reverse.included_urls')),
 
54
     url('', include('regressiontests.urlpatterns_reverse.extra_urls')),
 
55
 
 
56
+    # Partials should be fine.
 
57
+    url(r'^partial/', empty_view_partial, name="partial"),
 
58
+    url(r'^partial_wrapped/', empty_view_wrapped, name="partial_wrapped"),
 
59
+
 
60
     # This is non-reversible, but we shouldn't blow up when parsing it.
 
61
     url(r'^(?:foo|bar)(\w+)/$', empty_view, name="disjunction"),
 
62
 
 
63
Index: python-django-1.5.4/tests/regressiontests/urlpatterns_reverse/views.py
 
64
===================================================================
 
65
--- python-django-1.5.4.orig/tests/regressiontests/urlpatterns_reverse/views.py 2014-04-22 23:11:17.740353457 -0400
 
66
+++ python-django-1.5.4/tests/regressiontests/urlpatterns_reverse/views.py      2014-04-22 23:11:17.740353457 -0400
 
67
@@ -1,3 +1,5 @@
 
68
+from functools import partial, update_wrapper
 
69
+
 
70
 from django.http import HttpResponse
 
71
 from django.views.generic import RedirectView
 
72
 from django.core.urlresolvers import reverse_lazy
 
73
@@ -45,3 +47,11 @@
 
74
 
 
75
 def bad_view(request, *args, **kwargs):
 
76
     raise ValueError("I don't think I'm getting good value for this view")
 
77
+
 
78
+
 
79
+empty_view_partial = partial(empty_view, template_name="template.html")
 
80
+
 
81
+
 
82
+empty_view_wrapped = update_wrapper(
 
83
+    partial(empty_view, template_name="template.html"), empty_view,
 
84
+)