[Python-modules-commits] [python-django] 01/04: Add patch fixing CVE-2015-2317
Raphaël Hertzog
hertzog at moszumanska.debian.org
Thu Jul 16 13:01:53 UTC 2015
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch debian/squeeze
in repository python-django.
commit 6a450fee5cc9a27227de75401cacc14e9ce3443d
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Wed Jul 15 16:30:19 2015 +0200
Add patch fixing CVE-2015-2317
Backported it from
https://github.com/django/django/commit/2342693b31f740a422abf7267c53b4e7bc487c1b
---
debian/changelog | 8 ++++++
debian/patches/CVE-2015-2317.patch | 51 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 2 +-
3 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 7a68301..b18e385 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+python-django (1.2.3-3+squeeze13) UNRELEASED; urgency=medium
+
+ * Backport multiple security fixes released in 1.4 branch:
+ https://www.djangoproject.com/weblog/2015/mar/18/security-releases/
+ - Possible XSS attack via user-supplied redirect URLs (CVE-2015-2317)
+
+ -- Raphaël Hertzog <hertzog at debian.org> Wed, 15 Jul 2015 16:26:30 +0200
+
python-django (1.2.3-3+squeeze12) squeeze-lts; urgency=medium
* Backport multiple security fixes released in 1.4 branch:
diff --git a/debian/patches/CVE-2015-2317.patch b/debian/patches/CVE-2015-2317.patch
new file mode 100644
index 0000000..a470e34
--- /dev/null
+++ b/debian/patches/CVE-2015-2317.patch
@@ -0,0 +1,51 @@
+From 2342693b31f740a422abf7267c53b4e7bc487c1b Mon Sep 17 00:00:00 2001
+From: Tim Graham <timograham at gmail.com>
+Date: Mon, 9 Mar 2015 20:05:13 -0400
+Subject: [PATCH] [1.4.x] Made is_safe_url() reject URLs that start with
+ control characters.
+
+This is a security fix; disclosure to follow shortly.
+
+[hertzog at debian.org: Backported to 1.2.3. Dropped the non-regression test
+which was not available and updated the part applying to
+django/utils/http.py]
+---
+ django/utils/http.py | 9 ++++++++-
+ docs/releases/1.4.20.txt | 19 +++++++++++++++++++
+ tests/regressiontests/utils/http.py | 4 +++-
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+--- a/django/utils/http.py
++++ b/django/utils/http.py
+@@ -1,6 +1,7 @@
+ import re
+ import urllib
+ import urlparse
++import unicodedata
+ from email.Utils import formatdate
+
+ from django.utils.encoding import smart_str, force_unicode
+@@ -130,9 +131,10 @@ def is_safe_url(url, host=None):
+
+ Always returns ``False`` on an empty url.
+ """
++ if url is not None:
++ url = url.strip()
+ if not url:
+ return False
+- url = url.strip()
+ # Chrome treats \ completely as /
+ url = url.replace('\\', '/')
+ # Chrome considers any URL with more than two slashes to be absolute, but
+@@ -146,6 +148,11 @@ def is_safe_url(url, host=None):
+ # allow this syntax.
+ if not url_info[1] and url_info[0]:
+ return False
++ # Forbid URLs that start with control characters. Some browsers (like
++ # Chrome) ignore quite a few control characters at the start of a
++ # URL and might consider the URL as scheme relative.
++ if unicodedata.category(unicode(url[0]))[0] == 'C':
++ return False
+ return (not url_info[1] or url_info[1] == host) and \
+ (not url_info[0] or url_info[0] in ['http', 'https'])
+
diff --git a/debian/patches/series b/debian/patches/series
index 1495daf..5cc19af 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -41,4 +41,4 @@ CVE-2015-0219.diff
CVE-2015-0220.diff
CVE-2015-0221.diff
CVE-2015-0221-regression-fix.diff
-
+CVE-2015-2317.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list