[Python-modules-commits] r1683 - in /packages/python-django/trunk/debian: changelog patches/03_sec_fix_compile-messages.diff patches/04_sec_fix_auth.diff

hertzog at users.alioth.debian.org hertzog at users.alioth.debian.org
Fri Jan 19 17:55:26 CET 2007 

Author: hertzog
Date: Fri Jan 19 17:55:25 2007
New Revision: 1683

URL: http://svn.debian.org/wsvn/python-modules/?sc=1&rev=1683
Log:
Include 2 upstream bugfixes in our 0.95 release.

Added:
    packages/python-django/trunk/debian/patches/03_sec_fix_compile-messages.diff
    packages/python-django/trunk/debian/patches/04_sec_fix_auth.diff
Modified:
    packages/python-django/trunk/debian/changelog

Modified: packages/python-django/trunk/debian/changelog
URL: http://svn.debian.org/wsvn/python-modules/packages/python-django/trunk/debian/changelog?rev=1683&op=diff
==============================================================================
--- packages/python-django/trunk/debian/changelog (original)
+++ packages/python-django/trunk/debian/changelog Fri Jan 19 17:55:25 2007
@@ -1,3 +1,18 @@
+python-django (0.95-3) unstable; urgency=low
+
+  * Integrate 2 upstream changesets:
+    - http://code.djangoproject.com/changeset/3754 as
+      debian/patches/04_sec_fix_auth.diff
+      Fixes a possible case of mis-authentication due to bad caching.
+      Closes: #407521
+    - http://code.djangoproject.com/changeset/3592 as
+      debian/patches/03_sec_fix_compile-messages.diff
+      Fixes an (unlikely) arbitrary command execution if the user is blindly
+      running compile-messages.py on a untrusted set of *.po files.
+      Closes: #407519
+
+ -- Raphael Hertzog <hertzog at debian.org>  Sat, 16 Dec 2006 15:13:29 +0100
+
 python-django (0.95-2) unstable; urgency=low
 
   [ Piotr Ozarowski ]

Added: packages/python-django/trunk/debian/patches/03_sec_fix_compile-messages.diff
URL: http://svn.debian.org/wsvn/python-modules/packages/python-django/trunk/debian/patches/03_sec_fix_compile-messages.diff?rev=1683&op=file
==============================================================================
--- packages/python-django/trunk/debian/patches/03_sec_fix_compile-messages.diff (added)
+++ packages/python-django/trunk/debian/patches/03_sec_fix_compile-messages.diff Fri Jan 19 17:55:25 2007
@@ -1,0 +1,18 @@
+Index: /django/trunk/django/bin/compile-messages.py
+===================================================================
+--- django/bin/compile-messages.py (revision 3590)
++++ django/bin/compile-messages.py (revision 3592)
+@@ -20,5 +20,12 @@
+                 sys.stderr.write('processing file %s in %s\n' % (f, dirpath))
+                 pf = os.path.splitext(os.path.join(dirpath, f))[0]
+-                cmd = 'msgfmt -o "%s.mo" "%s.po"' % (pf, pf)
++                # Store the names of the .mo and .po files in an environment
++                # variable, rather than doing a string replacement into the
++                # command, so that we can take advantage of shell quoting, to
++                # quote any malicious characters/escaping.
++                # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html
++                os.environ['djangocompilemo'] = pf + '.mo'
++                os.environ['djangocompilepo'] = pf + '.po'
++                cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"'
+                 os.system(cmd)
+ 

Added: packages/python-django/trunk/debian/patches/04_sec_fix_auth.diff
URL: http://svn.debian.org/wsvn/python-modules/packages/python-django/trunk/debian/patches/04_sec_fix_auth.diff?rev=1683&op=file
==============================================================================
--- packages/python-django/trunk/debian/patches/04_sec_fix_auth.diff (added)
+++ packages/python-django/trunk/debian/patches/04_sec_fix_auth.diff Fri Jan 19 17:55:25 2007
@@ -1,0 +1,19 @@
+Index: /django/trunk/django/contrib/auth/middleware.py
+===================================================================
+--- django/contrib/auth/middleware.py (revision 3226)
++++ django/contrib/auth/middleware.py (revision 3754)
+@@ -1,11 +1,8 @@
+ class LazyUser(object):
+-    def __init__(self):
+-        self._user = None
+-
+     def __get__(self, request, obj_type=None):
+-        if self._user is None:
++        if not hasattr(request, '_cached_user'):
+             from django.contrib.auth import get_user
+-            self._user = get_user(request)
+-        return self._user
++            request._cached_user = get_user(request)
++        return request._cached_user
+ 
+ class AuthenticationMiddleware(object):

More information about the Python-modules-commits mailing list