[Python-modules-commits] [python-django] 01/01: Include another fix related to the change made for CVE-2015-0219
Raphaël Hertzog
hertzog at moszumanska.debian.org
Wed Jan 28 17:47:54 UTC 2015
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch debian/wheezy
in repository python-django.
commit d87b70207e3921cf03e69cabd6234c4ea5b10866
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Wed Jan 28 18:46:25 2015 +0100
Include another fix related to the change made for CVE-2015-0219
It looks like the upstream-supplied patch was improperly backported
to Django 1.4.x.
---
debian/patches/CVE-2015-0219-fix.diff | 59 +++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 60 insertions(+)
diff --git a/debian/patches/CVE-2015-0219-fix.diff b/debian/patches/CVE-2015-0219-fix.diff
new file mode 100644
index 0000000..6f9eb85
--- /dev/null
+++ b/debian/patches/CVE-2015-0219-fix.diff
@@ -0,0 +1,59 @@
+From b5cfe770f4ed31ded4bcd477f8a3e5060bd52f84 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <hertzog at debian.org>
+Date: Wed, 28 Jan 2015 17:56:04 +0100
+Subject: [PATCH] [1.4.x] Fixed #24239 -- merge both WSGIRequestHandler.get_environ() methods
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 4f6fffc1dc429f1ad428ecf8e6620739e8837450 incorrectly added a
+get_environ() method that replaced the original implementation. Instead
+the filtering logic should have been merged into the pre-existing
+get_environ().
+
+Signed-off-by: Raphaël Hertzog <hertzog at debian.org>
+Bug: https://code.djangoproject.com/ticket/24239
+---
+ django/core/servers/basehttp.py | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/django/core/servers/basehttp.py b/django/core/servers/basehttp.py
+index 0ec5f98..ef18687 100644
+--- a/django/core/servers/basehttp.py
++++ b/django/core/servers/basehttp.py
+@@ -160,6 +160,14 @@ class WSGIRequestHandler(simple_server.WSGIRequestHandler, object):
+ if length:
+ env['CONTENT_LENGTH'] = length
+
++ # Strip all headers with underscores in the name before constructing
++ # the WSGI environ. This prevents header-spoofing based on ambiguity
++ # between underscores and dashes both normalized to underscores in WSGI
++ # env vars. Nginx and Apache 2.4+ both do this as well.
++ for k, v in self.headers.items():
++ if '_' in k:
++ del self.headers[k]
++
+ for h in self.headers.headers:
+ k,v = h.split(':',1)
+ k=k.replace('-','_').upper(); v=v.strip()
+@@ -199,17 +207,6 @@ class WSGIRequestHandler(simple_server.WSGIRequestHandler, object):
+
+ sys.stderr.write(msg)
+
+- def get_environ(self):
+- # Strip all headers with underscores in the name before constructing
+- # the WSGI environ. This prevents header-spoofing based on ambiguity
+- # between underscores and dashes both normalized to underscores in WSGI
+- # env vars. Nginx and Apache 2.4+ both do this as well.
+- for k, v in self.headers.items():
+- if '_' in k:
+- del self.headers[k]
+-
+- return super(WSGIRequestHandler, self).get_environ()
+-
+
+ class AdminMediaHandler(handlers.StaticFilesHandler):
+ """
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index aa61e7f..4d06f97 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,6 +14,7 @@ is_safe_url_1_4.diff
drop_fix_ie_for_vary_1_4.diff
FTBFS-exception-in-servers-tests-tear-down.patch
CVE-2015-0219.diff
+CVE-2015-0219-fix.diff
CVE-2015-0220.diff
CVE-2015-0221.diff
CVE-2015-0221-regression-fix.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list