[Python-modules-commits] r15225 - in packages/python-django/branches/squeeze/debian (4 files)
hertzog at users.alioth.debian.org
hertzog at users.alioth.debian.org
Sat Jan 1 20:58:38 UTC 2011
Date: Saturday, January 1, 2011 @ 20:58:36
Author: hertzog
Revision: 15225
* Squeeze upload with security fixes only:
http://www.djangoproject.com/weblog/2010/dec/22/security/
* Add patches 08_fix_info_leakage.diff and 09_fix_dos_password_reset.diff
taken from upstream SVN repository. They did not apply cleanly, I had to
drop a test.
Added:
packages/python-django/branches/squeeze/debian/patches/08_fix_info_leakage.diff
packages/python-django/branches/squeeze/debian/patches/09_fix_dos_password_reset.diff
Modified:
packages/python-django/branches/squeeze/debian/changelog
packages/python-django/branches/squeeze/debian/patches/series
Modified: packages/python-django/branches/squeeze/debian/changelog
===================================================================
--- packages/python-django/branches/squeeze/debian/changelog 2011-01-01 19:50:30 UTC (rev 15224)
+++ packages/python-django/branches/squeeze/debian/changelog 2011-01-01 20:58:36 UTC (rev 15225)
@@ -1,3 +1,13 @@
+python-django (1.2.3-3) testing; urgency=high
+
+ * Squeeze upload with security fixes only:
+ http://www.djangoproject.com/weblog/2010/dec/22/security/
+ * Add patches 08_fix_info_leakage.diff and 09_fix_dos_password_reset.diff
+ taken from upstream SVN repository. They did not apply cleanly, I had to
+ drop a test.
+
+ -- Raphaël Hertzog <hertzog at debian.org> Sat, 01 Jan 2011 21:05:27 +0100
+
python-django (1.2.3-2) unstable; urgency=low
* Team upload.
Added: packages/python-django/branches/squeeze/debian/patches/08_fix_info_leakage.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/08_fix_info_leakage.diff (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/08_fix_info_leakage.diff 2011-01-01 20:58:36 UTC (rev 15225)
@@ -0,0 +1,126 @@
+Description: Fix information leakage in Django administrative interface
+ http://www.djangoproject.com/weblog/2010/dec/22/security/
+Origin: upstream, http://code.djangoproject.com/changeset/15033
+
+--- a/django/contrib/admin/options.py
++++ b/django/contrib/admin/options.py
+@@ -10,7 +10,9 @@ from django.contrib import messages
+ from django.views.decorators.csrf import csrf_protect
+ from django.core.exceptions import PermissionDenied, ValidationError
+ from django.db import models, transaction
+-from django.db.models.fields import BLANK_CHOICE_DASH
++from django.db.models.related import RelatedObject
++from django.db.models.fields import BLANK_CHOICE_DASH, FieldDoesNotExist
++from django.db.models.sql.constants import LOOKUP_SEP, QUERY_TERMS
+ from django.http import Http404, HttpResponse, HttpResponseRedirect
+ from django.shortcuts import get_object_or_404, render_to_response
+ from django.utils.decorators import method_decorator
+@@ -183,6 +185,30 @@ class BaseModelAdmin(object):
+ def get_readonly_fields(self, request, obj=None):
+ return self.readonly_fields
+
++ def lookup_allowed(self, lookup):
++ parts = lookup.split(LOOKUP_SEP)
++
++ # Last term in lookup is a query term (__exact, __startswith etc)
++ # This term can be ignored.
++ if len(parts) > 1 and parts[-1] in QUERY_TERMS:
++ parts.pop()
++
++ # Special case -- foo__id__exact and foo__id queries are implied
++ # if foo has been specificially included in the lookup list; so
++ # drop __id if it is the last part.
++ if len(parts) > 1 and parts[-1] == self.model._meta.pk.name:
++ parts.pop()
++
++ try:
++ self.model._meta.get_field_by_name(parts[0])
++ except FieldDoesNotExist:
++ # Lookups on non-existants fields are ok, since they're ignored
++ # later.
++ return True
++ else:
++ clean_lookup = LOOKUP_SEP.join(parts)
++ return clean_lookup in self.list_filter or clean_lookup == self.date_hierarchy
++
+ class ModelAdmin(BaseModelAdmin):
+ "Encapsulates all admin options and functionality for a given model."
+
+--- a/django/contrib/admin/views/main.py
++++ b/django/contrib/admin/views/main.py
+@@ -1,6 +1,7 @@
+ from django.contrib.admin.filterspecs import FilterSpec
+ from django.contrib.admin.options import IncorrectLookupParameters
+ from django.contrib.admin.util import quote
++from django.core.exceptions import SuspiciousOperation
+ from django.core.paginator import Paginator, InvalidPage
+ from django.db import models
+ from django.db.models.query import QuerySet
+@@ -187,13 +188,18 @@ class ChangeList(object):
+ else:
+ lookup_params[key] = True
+
++ if not self.model_admin.lookup_allowed(key):
++ raise SuspiciousOperation(
++ "Filtering by %s not allowed" % key
++ )
++
+ # Apply lookup parameters from the query string.
+ try:
+ qs = qs.filter(**lookup_params)
+ # Naked except! Because we don't have any other way of validating "params".
+ # They might be invalid if the keyword arguments are incorrect, or if the
+ # values are not in the correct type, so we might get FieldError, ValueError,
+- # ValicationError, or ? from a custom field that raises yet something else
++ # ValicationError, or ? from a custom field that raises yet something else
+ # when handed impossible data.
+ except:
+ raise IncorrectLookupParameters
+--- a/tests/regressiontests/admin_views/models.py
++++ b/tests/regressiontests/admin_views/models.py
+@@ -92,7 +92,7 @@ class ChapterInline(admin.TabularInline)
+
+ class ArticleAdmin(admin.ModelAdmin):
+ list_display = ('content', 'date', callable_year, 'model_year', 'modeladmin_year')
+- list_filter = ('date',)
++ list_filter = ('date', 'section')
+
+ def changelist_view(self, request):
+ "Test that extra_context works"
+@@ -584,6 +584,9 @@ class Album(models.Model):
+ owner = models.ForeignKey(User)
+ title = models.CharField(max_length=30)
+
++class AlbumAdmin(admin.ModelAdmin):
++ list_filter = ['title']
++
+ admin.site.register(Article, ArticleAdmin)
+ admin.site.register(CustomArticle, CustomArticleAdmin)
+ admin.site.register(Section, save_as=True, inlines=[ArticleInline])
+@@ -630,4 +633,4 @@ admin.site.register(Promo)
+ admin.site.register(ChapterXtra1)
+ admin.site.register(Pizza, PizzaAdmin)
+ admin.site.register(Topping)
+-admin.site.register(Album)
++admin.site.register(Album, AlbumAdmin)
+--- a/tests/regressiontests/admin_views/tests.py
++++ b/tests/regressiontests/admin_views/tests.py
+@@ -3,6 +3,7 @@
+ import re
+ import datetime
+ from django.conf import settings
++from django.core.exceptions import SuspiciousOperation
+ from django.core.files import temp as tempfile
+ from django.contrib.auth import admin # Register auth models with the admin.
+ from django.contrib.auth.models import User, Permission, UNUSABLE_PASSWORD
+@@ -297,6 +298,10 @@ class AdminViewBasicTest(TestCase):
+ self.assertContains(response, 'Choisir une heure')
+ deactivate()
+
++ def test_disallowed_filtering(self):
++ self.assertRaises(SuspiciousOperation,
++ self.client.get, "/test_admin/admin/admin_views/album/?owner__email__startswith=fuzzy"
++ )
+
+ class SaveAsTests(TestCase):
+ fixtures = ['admin-views-users.xml','admin-views-person.xml']
Added: packages/python-django/branches/squeeze/debian/patches/09_fix_dos_password_reset.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/09_fix_dos_password_reset.diff (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/09_fix_dos_password_reset.diff 2011-01-01 20:58:36 UTC (rev 15225)
@@ -0,0 +1,38 @@
+Description: Fix denial-of-service attack in password-reset mechanism
+ http://www.djangoproject.com/weblog/2010/dec/22/security/
+Origin: upstream, http://code.djangoproject.com/changeset/15034
+
+--- a/django/contrib/auth/urls.py
++++ b/django/contrib/auth/urls.py
+@@ -1,4 +1,4 @@
+-# These URLs are normally mapped to /admin/urls.py. This URLs file is
++# These URLs are normally mapped to /admin/urls.py. This URLs file is
+ # provided as a convenience to those who want to deploy these URLs elsewhere.
+ # This file is also used to provide a reliable view deployment for test purposes.
+
+@@ -11,7 +11,7 @@ urlpatterns = patterns('',
+ (r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'),
+ (r'^password_reset/$', 'django.contrib.auth.views.password_reset'),
+ (r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'),
+- (r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm'),
++ (r'^reset/(?P<uidb36>[0-9A-Za-z]{1,13})-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', 'django.contrib.auth.views.password_reset_confirm'),
+ (r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'),
+ )
+
+--- a/django/utils/http.py
++++ b/django/utils/http.py
+@@ -73,8 +73,13 @@ def http_date(epoch_seconds=None):
+
+ def base36_to_int(s):
+ """
+- Convertd a base 36 string to an integer
++ Converts a base 36 string to an ``int``. To prevent
++ overconsumption of server resources, raises ``ValueError` if the
++ input is longer than 13 base36 digits (13 digits is sufficient to
++ base36-encode any 64-bit integer).
+ """
++ if len(s) > 13:
++ raise ValueError("Base36 input too large")
+ return int(s, 36)
+
+ def int_to_base36(i):
Modified: packages/python-django/branches/squeeze/debian/patches/series
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/series 2011-01-01 19:50:30 UTC (rev 15224)
+++ packages/python-django/branches/squeeze/debian/patches/series 2011-01-01 20:58:36 UTC (rev 15225)
@@ -4,3 +4,5 @@
05_fix_regression_tests.diff
06_fix_regression_tests.diff
07_disable_url_verify_model_tests.diff
+08_fix_info_leakage.diff
+09_fix_dos_password_reset.diff
More information about the Python-modules-commits
mailing list