[Python-modules-commits] r18823 - in packages/python-django/branches/squeeze/debian (5 files)

hertzog at users.alioth.debian.org hertzog at users.alioth.debian.org
Thu Oct 6 12:02:34 UTC 2011 

    Date: Thursday, October 6, 2011 @ 12:02:32
  Author: hertzog
Revision: 18823

* Stable security upload:
  https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
* Apply/backport the 3 security patches:
  - debian/patches/13_fix_safety_issue_with_session_data.diff
  - debian/patches/14_fix_dos_with_urlfield.diff
  - debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff
  Closes: #641405

Added:
  packages/python-django/branches/squeeze/debian/patches/13_fix_safety_issue_with_session_data.diff
  packages/python-django/branches/squeeze/debian/patches/14_fix_dos_with_urlfield.diff
  packages/python-django/branches/squeeze/debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff
Modified:
  packages/python-django/branches/squeeze/debian/changelog
  packages/python-django/branches/squeeze/debian/patches/series

Modified: packages/python-django/branches/squeeze/debian/changelog
===================================================================
--- packages/python-django/branches/squeeze/debian/changelog	2011-10-06 12:01:36 UTC (rev 18822)
+++ packages/python-django/branches/squeeze/debian/changelog	2011-10-06 12:02:32 UTC (rev 18823)
@@ -1,3 +1,15 @@
+python-django (1.2.3-3+squeeze2) stable-security; urgency=low
+
+  * Stable security upload:
+    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
+  * Apply/backport the 3 security patches:
+    - debian/patches/13_fix_safety_issue_with_session_data.diff
+    - debian/patches/14_fix_dos_with_urlfield.diff
+    - debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff
+    Closes: #641405
+
+ -- Raphaël Hertzog <hertzog at debian.org>  Thu, 06 Oct 2011 12:20:30 +0200
+
 python-django (1.2.3-3+squeeze1) stable-security; urgency=high
 
   * Stable security upload:

Added: packages/python-django/branches/squeeze/debian/patches/13_fix_safety_issue_with_session_data.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/13_fix_safety_issue_with_session_data.diff	                        (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/13_fix_safety_issue_with_session_data.diff	2011-10-06 12:02:32 UTC (rev 18823)
@@ -0,0 +1,89 @@
+Description: Avoid manipulation of session data via the cache
+ Corrected an issue which could allow attackers to manipulate session data
+ using the cache.
+Origin: upstream, https://code.djangoproject.com/changeset/16765
+Bug: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
+
+--- a/django/contrib/sessions/backends/cached_db.py
++++ b/django/contrib/sessions/backends/cached_db.py
+@@ -6,6 +6,8 @@ from django.conf import settings
+ from django.contrib.sessions.backends.db import SessionStore as DBStore
+ from django.core.cache import cache
+ 
++KEY_PREFIX = "django.contrib.sessions.cached_db"
++
+ class SessionStore(DBStore):
+     """
+     Implements cached, database backed sessions.
+@@ -15,10 +17,11 @@ class SessionStore(DBStore):
+         super(SessionStore, self).__init__(session_key)
+ 
+     def load(self):
+-        data = cache.get(self.session_key, None)
++        data = cache.get(KEY_PREFIX + self.session_key, None)
+         if data is None:
+             data = super(SessionStore, self).load()
+-            cache.set(self.session_key, data, settings.SESSION_COOKIE_AGE)
++            cache.set(KEY_PREFIX + self.session_key, data, 
++                      settings.SESSION_COOKIE_AGE)
+         return data
+ 
+     def exists(self, session_key):
+@@ -26,11 +29,12 @@ class SessionStore(DBStore):
+ 
+     def save(self, must_create=False):
+         super(SessionStore, self).save(must_create)
+-        cache.set(self.session_key, self._session, settings.SESSION_COOKIE_AGE)
++        cache.set(KEY_PREFIX + self.session_key, self._session, 
++                  settings.SESSION_COOKIE_AGE)
+ 
+     def delete(self, session_key=None):
+         super(SessionStore, self).delete(session_key)
+-        cache.delete(session_key or self.session_key)
++        cache.delete(KEY_PREFIX + (session_key or self.session_key))
+ 
+     def flush(self):
+         """
+--- a/django/contrib/sessions/backends/cache.py
++++ b/django/contrib/sessions/backends/cache.py
+@@ -1,6 +1,8 @@
+ from django.contrib.sessions.backends.base import SessionBase, CreateError
+ from django.core.cache import cache
+ 
++KEY_PREFIX = "django.contrib.sessions.cache"
++
+ class SessionStore(SessionBase):
+     """
+     A cache-based session store.
+@@ -10,7 +12,7 @@ class SessionStore(SessionBase):
+         super(SessionStore, self).__init__(session_key)
+ 
+     def load(self):
+-        session_data = self._cache.get(self.session_key)
++        session_data = self._cache.get(KEY_PREFIX + self.session_key)
+         if session_data is not None:
+             return session_data
+         self.create()
+@@ -37,13 +39,13 @@ class SessionStore(SessionBase):
+             func = self._cache.add
+         else:
+             func = self._cache.set
+-        result = func(self.session_key, self._get_session(no_load=must_create),
++        result = func(KEY_PREFIX + self.session_key, self._get_session(no_load=must_create),
+                 self.get_expiry_age())
+         if must_create and not result:
+             raise CreateError
+ 
+     def exists(self, session_key):
+-        if self._cache.has_key(session_key):
++        if self._cache.has_key(KEY_PREFIX + session_key):
+             return True
+         return False
+ 
+@@ -52,5 +54,5 @@ class SessionStore(SessionBase):
+             if self._session_key is None:
+                 return
+             session_key = self._session_key
+-        self._cache.delete(session_key)
++        self._cache.delete(KEY_PREFIX + session_key)
+ 

Added: packages/python-django/branches/squeeze/debian/patches/14_fix_dos_with_urlfield.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/14_fix_dos_with_urlfield.diff	                        (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/14_fix_dos_with_urlfield.diff	2011-10-06 12:02:32 UTC (rev 18823)
@@ -0,0 +1,42 @@
+Description: Fix denial of service attack via URLField
+ Note that changes on tests/modeltests/validation/tests.py have been
+ dropped as they are already present in the patch
+ 07_disable_url_verify_model_tests.diff.
+Origin: upstream, https://code.djangoproject.com/changeset/16766
+Bug: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
+
+--- a/django/db/models/fields/__init__.py
++++ b/django/db/models/fields/__init__.py
+@@ -1111,7 +1111,7 @@ class TimeField(Field):
+ class URLField(CharField):
+     description = _("URL")
+ 
+-    def __init__(self, verbose_name=None, name=None, verify_exists=True, **kwargs):
++    def __init__(self, verbose_name=None, name=None, verify_exists=False, **kwargs):
+         kwargs['max_length'] = kwargs.get('max_length', 200)
+         CharField.__init__(self, verbose_name, name, **kwargs)
+         self.validators.append(validators.URLValidator(verify_exists=verify_exists))
+--- a/docs/ref/models/fields.txt
++++ b/docs/ref/models/fields.txt
+@@ -796,7 +796,7 @@ shortcuts.
+ ``URLField``
+ ------------
+ 
+-.. class:: URLField([verify_exists=True, max_length=200, **options])
++.. class:: URLField([verify_exists=False, max_length=200, **options])
+ 
+ A :class:`CharField` for a URL. Has one extra optional argument:
+ 
+@@ -809,6 +809,12 @@ A :class:`CharField` for a URL. Has one
+     validating a URL being served by the same server will hang. This should not
+     be a problem for multithreaded servers.
+ 
++.. versionchanged:: 1.2
++
++    The default value of ``verify_exists`` has been changed to
++    ``False``. This argument should not be set to ``True`` because it
++    has security and performance problems.
++
+ The admin represents this as an ``<input type="text">`` (a single-line input).
+ 
+ Like all :class:`CharField` subclasses, :class:`URLField` takes the optional

Added: packages/python-django/branches/squeeze/debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff	                        (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/15_fix_spoofing_issue_with_x_forwarded_host.diff	2011-10-06 12:02:32 UTC (rev 18823)
@@ -0,0 +1,71 @@
+Description: Add protection against spoofing of X_FORWARDED_HOST headers
+ Note that the non-regression test has been dropped as it didn't apply to
+ the version of Django in Debian stable.
+Origin: upstream, https://code.djangoproject.com/changeset/16764
+Bug: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
+
+--- a/django/http/__init__.py
++++ b/django/http/__init__.py
+@@ -45,7 +45,8 @@ class HttpRequest(object):
+     def get_host(self):
+         """Returns the HTTP host using the environment or request headers."""
+         # We try three options, in order of decreasing preference.
+-        if 'HTTP_X_FORWARDED_HOST' in self.META:
++        if settings.USE_X_FORWARDED_HOST and (
++            'HTTP_X_FORWARDED_HOST' in self.META):
+             host = self.META['HTTP_X_FORWARDED_HOST']
+         elif 'HTTP_HOST' in self.META:
+             host = self.META['HTTP_HOST']
+--- a/django/conf/global_settings.py
++++ b/django/conf/global_settings.py
+@@ -390,6 +390,8 @@ URL_VALIDATOR_USER_AGENT = "Django/%s (h
+ DEFAULT_TABLESPACE = ''
+ DEFAULT_INDEX_TABLESPACE = ''
+ 
++USE_X_FORWARDED_HOST = False
++
+ ##############
+ # MIDDLEWARE #
+ ##############
+--- a/docs/ref/request-response.txt
++++ b/docs/ref/request-response.txt
+@@ -191,12 +191,11 @@ Methods
+ 
+    .. versionadded:: 1.0
+ 
+-   Returns the originating host of the request using information from the
+-   ``HTTP_X_FORWARDED_HOST`` and ``HTTP_HOST`` headers (in that order). If
+-   they don't provide a value, the method uses a combination of
+-   ``SERVER_NAME`` and ``SERVER_PORT`` as detailed in `PEP 333`_.
+-
+-   .. _PEP 333: http://www.python.org/dev/peps/pep-0333/
++   Returns the originating host of the request using information from
++   the ``HTTP_X_FORWARDED_HOST`` (if enabled in the settings) and
++   ``HTTP_HOST`` headers (in that order). If they don't provide a value,
++   the method uses a combination of ``SERVER_NAME`` and ``SERVER_PORT`` as
++   detailed in :pep:`3333`.
+ 
+    Example: ``"127.0.0.1:8000"``
+ 
+--- a/docs/ref/settings.txt
++++ b/docs/ref/settings.txt
+@@ -1688,6 +1688,19 @@ and ``NUMBER_GROUPING`` from current loc
+ 
+ See also ``THOUSAND_SEPARATOR`` and ``NUMBER_GROUPING``.
+ 
++.. setting:: USE_X_FORWARDED_HOST
++
++USE_X_FORWARDED_HOST
++--------------------
++
++.. versionadded:: 1.3.1
++
++Default: ``False``
++
++A boolean that specifies whether to use the X-Forwarded-Host header in
++preference to the Host header. This should only be enabled if a proxy
++which sets this header is in use.
++
+ .. setting:: YEAR_MONTH_FORMAT
+ 
+ YEAR_MONTH_FORMAT

Modified: packages/python-django/branches/squeeze/debian/patches/series
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/series	2011-10-06 12:01:36 UTC (rev 18822)
+++ packages/python-django/branches/squeeze/debian/patches/series	2011-10-06 12:02:32 UTC (rev 18823)
@@ -9,3 +9,6 @@
 10_fix_csrf_ajax.diff
 11_fix_admin_file_widget.diff
 12_fix_file_session_backend.diff
+13_fix_safety_issue_with_session_data.diff
+14_fix_dos_with_urlfield.diff
+15_fix_spoofing_issue_with_x_forwarded_host.diff

More information about the Python-modules-commits mailing list