[Python-modules-commits] [python-django] 01/02: Backport CVE-2015-8213: Fixed settings leak possibility in date template filter
Chris Lamb
lamby at moszumanska.debian.org
Thu Nov 26 06:49:32 UTC 2015
This is an automated email from the git hooks/post-receive script.
lamby pushed a commit to branch debian/squeeze
in repository python-django.
commit ab80b580d126050d8b808955879fd2bd8b02ede9
Author: Chris Lamb <chris at chris-lamb.co.uk>
Date: Thu Nov 26 08:46:58 2015 +0200
Backport CVE-2015-8213: Fixed settings leak possibility in date template filter
---
debian/changelog | 7 ++++++
debian/patches/CVE-2015-8213.patch | 50 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 58 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 184885d..9729700 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+python-django (1.2.3-3+squeeze15) UNRELEASED; urgency=medium
+
+ * Backport CVE-2015-8213: Fixed settings leak possibility in date template
+ filter.
+
+ -- Chris Lamb <lamby at debian.org> Wed, 25 Nov 2015 23:15:40 +0200
+
python-django (1.2.3-3+squeeze14) squeeze-lts; urgency=medium
* Backport multiple security fixes released in 1.4 branch:
diff --git a/debian/patches/CVE-2015-8213.patch b/debian/patches/CVE-2015-8213.patch
new file mode 100644
index 0000000..19e4e37
--- /dev/null
+++ b/debian/patches/CVE-2015-8213.patch
@@ -0,0 +1,50 @@
+--- python-django-1.2.3.orig/django/utils/formats.py
++++ python-django-1.2.3/django/utils/formats.py
+@@ -7,6 +7,25 @@ from django.utils.importlib import impor
+ from django.utils.encoding import smart_str
+ from django.utils import dateformat, numberformat, datetime_safe
+
++
++FORMAT_SETTINGS = frozenset([
++ 'DECIMAL_SEPARATOR',
++ 'THOUSAND_SEPARATOR',
++ 'NUMBER_GROUPING',
++ 'FIRST_DAY_OF_WEEK',
++ 'MONTH_DAY_FORMAT',
++ 'TIME_FORMAT',
++ 'DATE_FORMAT',
++ 'DATETIME_FORMAT',
++ 'SHORT_DATE_FORMAT',
++ 'SHORT_DATETIME_FORMAT',
++ 'YEAR_MONTH_FORMAT',
++ 'DATE_INPUT_FORMATS',
++ 'TIME_INPUT_FORMATS',
++ 'DATETIME_INPUT_FORMATS',
++])
++
++
+ def get_format_modules(reverse=False):
+ """
+ Returns an iterator over the format modules found in the project and Django
+@@ -41,6 +60,8 @@ def get_format(format_type):
+ format_type is the name of the format, e.g. 'DATE_FORMAT'
+ """
+ format_type = smart_str(format_type)
++ if format_type not in FORMAT_SETTINGS:
++ return format_type
+ if settings.USE_L10N:
+ for module in get_format_modules():
+ try:
+--- python-django-1.2.3.orig/tests/regressiontests/i18n/tests.py
++++ python-django-1.2.3/tests/regressiontests/i18n/tests.py
+@@ -421,6 +421,10 @@ class FormattingTests(TestCase):
+ finally:
+ deactivate()
+
++ def test_format_arbitrary_settings(self):
++ self.assertEqual(get_format('DEBUG'), 'DEBUG')
++
++
+ class MiscTests(TestCase):
+
+ def test_parse_spec_http_header(self):
diff --git a/debian/patches/series b/debian/patches/series
index 0c3471c..d7175fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -45,3 +45,4 @@ CVE-2015-2317.patch
CVE-2015-5143.patch
CVE-2015-5144.patch
CVE-2015-5963_5964.patch
+CVE-2015-8213.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list