[Python-modules-commits] r22483 - in packages/python-django/branches/squeeze/debian (5 files)
hertzog at users.alioth.debian.org
hertzog at users.alioth.debian.org
Thu Aug 2 10:13:17 UTC 2012
Date: Thursday, August 2, 2012 @ 10:13:16
Author: hertzog
Revision: 22483
* Stable security upload:
https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
* Apply/backport the 3 security patches:
- debian/patches/16_fix_cross_site_scripting_in_authentication.diff
- debian/patches/17_fix_dos_in_image_validation.diff
- debian/patches/18_fix_dos_via_get_image_dimensions.diff
Closes: #683364
Added:
packages/python-django/branches/squeeze/debian/patches/16_fix_cross_site_scripting_in_authentication.diff
packages/python-django/branches/squeeze/debian/patches/17_fix_dos_in_image_validation.diff
packages/python-django/branches/squeeze/debian/patches/18_fix_dos_via_get_image_dimensions.diff
Modified:
packages/python-django/branches/squeeze/debian/changelog
packages/python-django/branches/squeeze/debian/patches/series
Modified: packages/python-django/branches/squeeze/debian/changelog
===================================================================
--- packages/python-django/branches/squeeze/debian/changelog 2012-08-02 08:53:46 UTC (rev 22482)
+++ packages/python-django/branches/squeeze/debian/changelog 2012-08-02 10:13:16 UTC (rev 22483)
@@ -1,3 +1,16 @@
+python-django (1.2.3-3+squeeze3) stable-security; urgency=high
+
+ * Stable security upload:
+ https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
+ Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444
+ * Apply/backport the 3 security patches:
+ - debian/patches/16_fix_cross_site_scripting_in_authentication.diff
+ - debian/patches/17_fix_dos_in_image_validation.diff
+ - debian/patches/18_fix_dos_via_get_image_dimensions.diff
+ Closes: #683364
+
+ -- Raphaël Hertzog <hertzog at debian.org> Thu, 02 Aug 2012 11:05:53 +0200
+
python-django (1.2.3-3+squeeze2) stable-security; urgency=low
* Stable security upload:
Added: packages/python-django/branches/squeeze/debian/patches/16_fix_cross_site_scripting_in_authentication.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/16_fix_cross_site_scripting_in_authentication.diff (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/16_fix_cross_site_scripting_in_authentication.diff 2012-08-02 10:13:16 UTC (rev 22483)
@@ -0,0 +1,86 @@
+Description: Fix cross site scripting issue in authentication views
+Origin: backport, https://github.com/django/django/commit/4dea4883e6c50d75f215a6b9bcbd95273f57c72d
+Forwarded: not needed, it comes from upstream
+Bug-Debian: http://bugs.debian.org/683364
+
+--- a/django/http/__init__.py
++++ b/django/http/__init__.py
+@@ -3,13 +3,14 @@ import re
+ from Cookie import BaseCookie, SimpleCookie, CookieError
+ from pprint import pformat
+ from urllib import urlencode
+-from urlparse import urljoin
++from urlparse import urljoin, urlparse
+ try:
+ # The mod_python version is more efficient, so try importing it first.
+ from mod_python.util import parse_qsl
+ except ImportError:
+ from cgi import parse_qsl
+
++from django.core.exceptions import SuspiciousOperation
+ from django.utils.datastructures import MultiValueDict, ImmutableList
+ from django.utils.encoding import smart_str, iri_to_uri, force_unicode
+ from django.http.multipartparser import MultiPartParser
+@@ -430,19 +431,21 @@ class HttpResponse(object):
+ raise Exception("This %s instance cannot tell its position" % self.__class__)
+ return sum([len(chunk) for chunk in self._container])
+
+-class HttpResponseRedirect(HttpResponse):
+- status_code = 302
++class HttpResponseRedirectBase(HttpResponse):
++ allowed_schemes = ['http', 'https', 'ftp']
+
+ def __init__(self, redirect_to):
+- HttpResponse.__init__(self)
++ super(HttpResponseRedirectBase, self).__init__()
++ parsed = urlparse(redirect_to)
++ if parsed.scheme and parsed.scheme not in self.allowed_schemes:
++ raise SuspiciousOperation("Unsafe redirect to URL with scheme '%s'" % parsed.scheme)
+ self['Location'] = iri_to_uri(redirect_to)
+
+-class HttpResponsePermanentRedirect(HttpResponse):
+- status_code = 301
++class HttpResponseRedirect(HttpResponseRedirectBase):
++ status_code = 302
+
+- def __init__(self, redirect_to):
+- HttpResponse.__init__(self)
+- self['Location'] = iri_to_uri(redirect_to)
++class HttpResponsePermanentRedirect(HttpResponseRedirectBase):
++ status_code = 301
+
+ class HttpResponseNotModified(HttpResponse):
+ status_code = 304
+--- a/tests/regressiontests/httpwrappers/tests.py
++++ b/tests/regressiontests/httpwrappers/tests.py
+@@ -1,7 +1,10 @@
+ import copy
+ import pickle
+ import unittest
+-from django.http import QueryDict, HttpResponse, CompatCookie, BadHeaderError
++from django.core.exceptions import SuspiciousOperation
++from django.http import (QueryDict, HttpResponse, HttpResponseRedirect,
++ HttpResponsePermanentRedirect,
++ CompatCookie, BadHeaderError)
+
+ class QueryDictTests(unittest.TestCase):
+ def test_missing_key(self):
+@@ -231,6 +234,18 @@ class HttpResponseTests(unittest.TestCas
+ self.assertRaises(BadHeaderError, r.__setitem__, 'test\rstr', 'test')
+ self.assertRaises(BadHeaderError, r.__setitem__, 'test\nstr', 'test')
+
++ def test_unsafe_redirects(self):
++ bad_urls = [
++ 'data:text/html,<script>window.alert("xss")</script>',
++ 'mailto:test at example.com',
++ 'file:///etc/passwd',
++ ]
++ for url in bad_urls:
++ self.assertRaises(SuspiciousOperation,
++ HttpResponseRedirect, url)
++ self.assertRaises(SuspiciousOperation,
++ HttpResponsePermanentRedirect, url)
++
+ class CookieTests(unittest.TestCase):
+ def test_encode(self):
+ """
Added: packages/python-django/branches/squeeze/debian/patches/17_fix_dos_in_image_validation.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/17_fix_dos_in_image_validation.diff (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/17_fix_dos_in_image_validation.diff 2012-08-02 10:13:16 UTC (rev 22483)
@@ -0,0 +1,31 @@
+Description: Fix denial of service in image validation
+Origin: upstream, https://github.com/django/django/commit/b2eb4787a0fff9c9993b78be5c698e85108f3446
+Bug-Debian: http://bugs.debian.org/683364
+
+--- a/django/forms/fields.py
++++ b/django/forms/fields.py
+@@ -501,20 +501,10 @@ class ImageField(FileField):
+ file = StringIO(data['content'])
+
+ try:
+- # load() is the only method that can spot a truncated JPEG,
+- # but it cannot be called sanely after verify()
+- trial_image = Image.open(file)
+- trial_image.load()
+-
+- # Since we're about to use the file again we have to reset the
+- # file object if possible.
+- if hasattr(file, 'reset'):
+- file.reset()
+-
+- # verify() is the only method that can spot a corrupt PNG,
+- # but it must be called immediately after the constructor
+- trial_image = Image.open(file)
+- trial_image.verify()
++ # load() could spot a truncated JPEG, but it loads the entire
++ # image in memory, which is a DoS vector. See #3848 and #18520.
++ # verify() must be called immediately after the constructor.
++ Image.open(file).verify()
+ except ImportError:
+ # Under PyPy, it is possible to import PIL. However, the underlying
+ # _imaging C module isn't available, so an ImportError will be
Added: packages/python-django/branches/squeeze/debian/patches/18_fix_dos_via_get_image_dimensions.diff
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/18_fix_dos_via_get_image_dimensions.diff (rev 0)
+++ packages/python-django/branches/squeeze/debian/patches/18_fix_dos_via_get_image_dimensions.diff 2012-08-02 10:13:16 UTC (rev 22483)
@@ -0,0 +1,28 @@
+Description: Fix denial of service via get_image_dimensions()
+Origin: upstream, https://github.com/django/django/commit/9ca0ff6268eeff92d0d0ac2c315d4b6a8e229155/download
+Bug-Debian: http://bugs.debian.org/683364
+
+diff --git a/django/core/files/images.py b/django/core/files/images.py
+index 228a711..7d7eac6 100644
+--- a/django/core/files/images.py
++++ b/django/core/files/images.py
+@@ -47,13 +47,18 @@ def get_image_dimensions(file_or_path, close=False):
+ file = open(file_or_path, 'rb')
+ close = True
+ try:
++ # Most of the time PIL only needs a small chunk to parse the image and
++ # get the dimensions, but with some TIFF files PIL needs to parse the
++ # whole file.
++ chunk_size = 1024
+ while 1:
+- data = file.read(1024)
++ data = file.read(chunk_size)
+ if not data:
+ break
+ p.feed(data)
+ if p.image:
+ return p.image.size
++ chunk_size = chunk_size*2
+ return None
+ finally:
+ if close:
Modified: packages/python-django/branches/squeeze/debian/patches/series
===================================================================
--- packages/python-django/branches/squeeze/debian/patches/series 2012-08-02 08:53:46 UTC (rev 22482)
+++ packages/python-django/branches/squeeze/debian/patches/series 2012-08-02 10:13:16 UTC (rev 22483)
@@ -12,3 +12,6 @@
13_fix_safety_issue_with_session_data.diff
14_fix_dos_with_urlfield.diff
15_fix_spoofing_issue_with_x_forwarded_host.diff
+16_fix_cross_site_scripting_in_authentication.diff
+17_fix_dos_in_image_validation.diff
+18_fix_dos_via_get_image_dimensions.diff
More information about the Python-modules-commits
mailing list