[Python-modules-commits] [python-django] 01/03: Imported Debian patch 1.4.5-1+deb7u10

Luke Faraone lfaraone at moszumanska.debian.org
Sun Jul 12 01:25:14 UTC 2015 

This is an automated email from the git hooks/post-receive script.

lfaraone pushed a commit to branch debian/wheezy
in repository python-django.

commit 64f61283dcf7498e4a7add2e44a6156b1b0281f4
Author: Luke Faraone <lfaraone at debian.org>
Date:   Thu Mar 19 05:14:59 2015 +0000

    Imported Debian patch 1.4.5-1+deb7u10
---
 debian/changelog                  |  8 +++++
 debian/patches/CVE-2015-2317.diff | 63 +++++++++++++++++++++++++++++++++++++++
 debian/patches/series             |  1 +
 3 files changed, 72 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ab3f283..53cdc31 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+python-django (1.4.5-1+deb7u10) wheezy-security; urgency=high
+
+  * New upstream security release:
+    https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
+    - Possible XSS attack via user-supplied redirect URLs (CVE-2015-2317)
+
+ -- Luke Faraone <lfaraone at debian.org>  Thu, 19 Mar 2015 05:14:59 +0000
+
 python-django (1.4.5-1+deb7u9) wheezy-security; urgency=high
 
   * New upstream security release:
diff --git a/debian/patches/CVE-2015-2317.diff b/debian/patches/CVE-2015-2317.diff
new file mode 100644
index 0000000..0cf4543
--- /dev/null
+++ b/debian/patches/CVE-2015-2317.diff
@@ -0,0 +1,63 @@
+From 2342693b31f740a422abf7267c53b4e7bc487c1b Mon Sep 17 00:00:00 2001
+From: Tim Graham <timograham at gmail.com>
+Date: Mon, 9 Mar 2015 20:05:13 -0400
+Subject: [PATCH] [1.4.x] Made is_safe_url() reject URLs that start with
+ control characters.
+
+This is a security fix; disclosure to follow shortly.
+---
+ django/utils/http.py                |  9 ++++++++-
+ docs/releases/1.4.20.txt            | 19 +++++++++++++++++++
+ tests/regressiontests/utils/http.py |  4 +++-
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+Index: python-django-1.4.5/django/utils/http.py
+===================================================================
+--- python-django-1.4.5.orig/django/utils/http.py	2015-03-19 03:34:08.000000000 +0000
++++ python-django-1.4.5/django/utils/http.py	2015-03-19 05:14:23.805231220 +0000
+@@ -4,6 +4,7 @@
+ import sys
+ import urllib
+ import urlparse
++import unicodedata
+ from email.utils import formatdate
+ 
+ from django.utils.datastructures import MultiValueDict
+@@ -232,9 +233,10 @@
+ 
+     Always returns ``False`` on an empty url.
+     """
++    if url is not None:
++        url = url.strip()
+     if not url:
+         return False
+-    url = url.strip()
+     # Chrome treats \ completely as /
+     url = url.replace('\\', '/')
+     # Chrome considers any URL with more than two slashes to be absolute, but
+@@ -248,5 +250,10 @@
+     # allow this syntax.
+     if not url_info[1] and url_info[0]:
+         return False
++    # Forbid URLs that start with control characters. Some browsers (like
++    # Chrome) ignore quite a few control characters at the start of a
++    # URL and might consider the URL as scheme relative.
++    if unicodedata.category(unicode(url[0]))[0] == 'C':
++        return False
+     return (not url_info[1] or url_info[1] == host) and \
+         (not url_info[0] or url_info[0] in ['http', 'https'])
+Index: python-django-1.4.5/tests/regressiontests/utils/http.py
+===================================================================
+--- python-django-1.4.5.orig/tests/regressiontests/utils/http.py	2015-03-19 03:34:08.000000000 +0000
++++ python-django-1.4.5/tests/regressiontests/utils/http.py	2015-03-19 05:14:23.805231220 +0000
+@@ -98,7 +98,9 @@
+                         'http:\/example.com',
+                         'http:/\example.com',
+                         'javascript:alert("XSS")'
+-                        '\njavascript:alert(x)'):
++                        '\njavascript:alert(x)',
++                        '\x08//example.com',
++                        '\n'):
+             self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
+         for good_url in ('/view/?param=http://example.com',
+                      '/view/?param=https://example.com',
diff --git a/debian/patches/series b/debian/patches/series
index 48bd7ea..f2c2b83 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,3 +22,4 @@ CVE-2015-0219-fix.diff
 CVE-2015-0220.diff
 CVE-2015-0221.diff
 CVE-2015-0221-regression-fix.diff
+CVE-2015-2317.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git

More information about the Python-modules-commits mailing list