[Python-modules-commits] [python-django] 01/01: Unapply patches and disable git-dpm
Raphaël Hertzog
hertzog at moszumanska.debian.org
Sat May 20 14:02:55 UTC 2017
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch debian/wheezy
in repository python-django.
commit 8cf7eba74d09cc47b13a918dbd0cafd75bbedb20
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Sat May 20 16:02:10 2017 +0200
Unapply patches and disable git-dpm
---
debian/.git-dpm | 11 -------
debian/gbp.conf | 3 ++
django/contrib/auth/hashers.py | 64 ++----------------------------------
django/contrib/auth/tests/views.py | 8 +----
django/contrib/gis/geoip/base.py | 18 +++++-----
django/utils/encoding.py | 36 --------------------
django/utils/formats.py | 20 -----------
django/utils/http.py | 14 ++------
docs/conf.py | 5 +--
docs/man/django-admin.1 | 6 ++--
docs/topics/auth.txt | 30 -----------------
tests/modeltests/validation/tests.py | 2 +-
tests/regressiontests/i18n/tests.py | 3 --
tests/regressiontests/utils/http.py | 11 -------
14 files changed, 22 insertions(+), 209 deletions(-)
diff --git a/debian/.git-dpm b/debian/.git-dpm
deleted file mode 100644
index ec9f178..0000000
--- a/debian/.git-dpm
+++ /dev/null
@@ -1,11 +0,0 @@
-# see git-dpm(1) from git-dpm package
-cd296c0e8a82e71edb2c5fa3edd992b8d46b65fa
-cd296c0e8a82e71edb2c5fa3edd992b8d46b65fa
-6811f42291f01f7636726c8bdd8999842f0cd9ec
-6811f42291f01f7636726c8bdd8999842f0cd9ec
-python-django_1.4.22.orig.tar.gz
-cedd81e52f794c6f69b9a71c65e90f16570783c7
-7802249
-debianTag="debian/%e%v"
-patchedTag="patched/%e%v"
-upstreamTag="upstream/%e%u"
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..c0c0173
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+upstream-branch=upstream/1.4.x
+debian-branch=debian/wheezy
diff --git a/django/contrib/auth/hashers.py b/django/contrib/auth/hashers.py
index f936aa3..a9dbcc9 100644
--- a/django/contrib/auth/hashers.py
+++ b/django/contrib/auth/hashers.py
@@ -1,10 +1,9 @@
import hashlib
-import warnings
from django.conf import settings
from django.utils import importlib
from django.utils.datastructures import SortedDict
-from django.utils.encoding import force_bytes, smart_str
+from django.utils.encoding import smart_str
from django.core.exceptions import ImproperlyConfigured
from django.utils.crypto import (
pbkdf2, constant_time_compare, get_random_string)
@@ -48,17 +47,8 @@ def check_password(password, encoded, setter=None, preferred='default'):
algorithm = encoded.split('$', 1)[0]
hasher = get_hasher(algorithm)
- hasher_changed = hasher.algorithm != preferred.algorithm
- must_update = hasher_changed or preferred.must_update(encoded)
+ must_update = hasher.algorithm != preferred.algorithm
is_correct = hasher.verify(password, encoded)
-
- # If the hasher didn't change (we don't protect against enumeration if it
- # does) and the password should get updated, try to close the timing gap
- # between the work factor of the current encoded password and the default
- # work factor.
- if not is_correct and not hasher_changed and must_update:
- hasher.harden_runtime(password, encoded)
-
if setter and is_correct and must_update:
setter(raw_password)
return is_correct
@@ -199,22 +189,6 @@ class BasePasswordHasher(object):
"""
raise NotImplementedError()
- def must_update(self, encoded):
- return False
-
- def harden_runtime(self, password, encoded):
- """
- Bridge the runtime gap between the work factor supplied in `encoded`
- and the work factor suggested by this hasher.
-
- Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and
- `self.iterations` is 30000, this method should run password through
- another 10000 iterations of PBKDF2. Similar approaches should exist
- for any hasher that has a work factor. If not, this method should be
- defined as a no-op to silence the warning.
- """
- warnings.warn('subclasses of BasePasswordHasher should provide a harden_runtime() method')
-
class PBKDF2PasswordHasher(BasePasswordHasher):
"""
@@ -253,16 +227,6 @@ class PBKDF2PasswordHasher(BasePasswordHasher):
(_('hash'), mask_hash(hash)),
])
- def must_update(self, encoded):
- algorithm, iterations, salt, hash = encoded.split('$', 3)
- return int(iterations) != self.iterations
-
- def harden_runtime(self, password, encoded):
- algorithm, iterations, salt, hash = encoded.split('$', 3)
- extra_iterations = self.iterations - int(iterations)
- if extra_iterations > 0:
- self.encode(password, salt, extra_iterations)
-
class PBKDF2SHA1PasswordHasher(PBKDF2PasswordHasher):
"""
@@ -314,16 +278,6 @@ class BCryptPasswordHasher(BasePasswordHasher):
(_('checksum'), mask_hash(checksum)),
])
- def harden_runtime(self, password, encoded):
- _, data = encoded.split('$', 1)
- salt = data[:29] # Length of the salt in bcrypt.
- rounds = data.split('$')[2]
- # work factor is logarithmic, adding one doubles the load.
- diff = 2**(self.rounds - int(rounds)) - 1
- while diff > 0:
- self.encode(password, force_bytes(salt))
- diff -= 1
-
class SHA1PasswordHasher(BasePasswordHasher):
"""
@@ -352,10 +306,6 @@ class SHA1PasswordHasher(BasePasswordHasher):
(_('hash'), mask_hash(hash)),
])
- def harden_runtime(self, password, encoded):
- pass
-
-
class MD5PasswordHasher(BasePasswordHasher):
"""
@@ -416,10 +366,6 @@ class UnsaltedSHA1PasswordHasher(BasePasswordHasher):
(_('hash'), mask_hash(hash)),
])
- def harden_runtime(self, password, encoded):
- pass
-
-
class UnsaltedMD5PasswordHasher(BasePasswordHasher):
"""
@@ -453,10 +399,6 @@ class UnsaltedMD5PasswordHasher(BasePasswordHasher):
(_('hash'), mask_hash(encoded, show=3)),
])
- def harden_runtime(self, password, encoded):
- pass
-
-
class CryptPasswordHasher(BasePasswordHasher):
"""
@@ -492,5 +434,3 @@ class CryptPasswordHasher(BasePasswordHasher):
(_('hash'), mask_hash(data, show=3)),
])
- def harden_runtime(self, password, encoded):
- pass
diff --git a/django/contrib/auth/tests/views.py b/django/contrib/auth/tests/views.py
index 5c781ed..2b72cd4 100644
--- a/django/contrib/auth/tests/views.py
+++ b/django/contrib/auth/tests/views.py
@@ -312,12 +312,7 @@ class LoginTest(AuthViewsTestCase):
'ftp://exampel.com',
'///example.com',
'//example.com',
- 'javascript:alert("XSS")',
- r'http://otherserver\@example.com',
- r'http:\\testserver\@example.com',
- r'http://testserver\me:pass@example.com',
- r'http://testserver\@example.com',
- r'http:\\testserver\confirm\me at example.com'):
+ 'javascript:alert("XSS")'):
nasty_url = '%(url)s?%(next)s=%(bad_url)s' % {
'url': login_url,
@@ -340,7 +335,6 @@ class LoginTest(AuthViewsTestCase):
'https://testserver/',
'HTTPS://testserver/',
'//testserver/',
- 'http://testserver/confirm?email=me@example.com',
'/url%20with%20spaces/'): # see ticket #12534
safe_url = '%(url)s?%(next)s=%(good_url)s' % {
'url': login_url,
diff --git a/django/contrib/gis/geoip/base.py b/django/contrib/gis/geoip/base.py
index d77784a..e00e0a4 100644
--- a/django/contrib/gis/geoip/base.py
+++ b/django/contrib/gis/geoip/base.py
@@ -61,8 +61,7 @@ class GeoIP(object):
* path: Base directory to where GeoIP data is located or the full path
to where the city or country data files (*.dat) are located.
Assumes that both the city and country data sets are located in
- this directory. Overrides the GEOIP_PATH settings attribute.
- If neither is set, defaults to '/usr/share/GeoIP'.
+ this directory; overrides the GEOIP_PATH settings attribute.
* cache: The cache settings when opening up the GeoIP datasets,
and may be an integer in (0, 1, 2, 4, 8) corresponding to
@@ -71,13 +70,11 @@ class GeoIP(object):
settings, respectively. Defaults to 0, meaning that the data is read
from the disk.
- * country: The name of the GeoIP country data file. Overrides
- the GEOIP_COUNTRY settings attribute. If neither is set,
- defaults to 'GeoIP.dat'
+ * country: The name of the GeoIP country data file. Defaults to
+ 'GeoIP.dat'; overrides the GEOIP_COUNTRY settings attribute.
- * city: The name of the GeoIP city data file. Overrides the
- GEOIP_CITY settings attribute. If neither is set, defaults
- to 'GeoIPCity.dat'.
+ * city: The name of the GeoIP city data file. Defaults to
+ 'GeoLiteCity.dat'; overrides the GEOIP_CITY settings attribute.
"""
# Checking the given cache option.
if cache in self.cache_options:
@@ -87,7 +84,8 @@ class GeoIP(object):
# Getting the GeoIP data path.
if not path:
- path = GEOIP_SETTINGS.get('GEOIP_PATH', '/usr/share/GeoIP')
+ path = GEOIP_SETTINGS.get('GEOIP_PATH', None)
+ if not path: raise GeoIPException('GeoIP path must be provided via parameter or the GEOIP_PATH setting.')
if not isinstance(path, basestring):
raise TypeError('Invalid path type: %s' % type(path).__name__)
@@ -100,7 +98,7 @@ class GeoIP(object):
self._country = GeoIP_open(country_db, cache)
self._country_file = country_db
- city_db = os.path.join(path, city or GEOIP_SETTINGS.get('GEOIP_CITY', 'GeoIPCity.dat'))
+ city_db = os.path.join(path, city or GEOIP_SETTINGS.get('GEOIP_CITY', 'GeoLiteCity.dat'))
if os.path.isfile(city_db):
self._city = GeoIP_open(city_db, cache)
self._city_file = city_db
diff --git a/django/utils/encoding.py b/django/utils/encoding.py
index 2a3e064..2924723 100644
--- a/django/utils/encoding.py
+++ b/django/utils/encoding.py
@@ -51,42 +51,6 @@ def is_protected_type(obj):
float, Decimal)
)
-def force_bytes(s, encoding='utf-8', strings_only=False, errors='strict'):
- """
- Similar to smart_bytes, except that lazy instances are resolved to
- strings, rather than kept as lazy objects.
-
- If strings_only is True, don't convert (some) non-string-like objects.
- """
- # Handle the common case first for performance reasons.
- if isinstance(s, bytes):
- if encoding == 'utf-8':
- return s
- else:
- return s.decode('utf-8', errors).encode(encoding, errors)
- if strings_only and is_protected_type(s):
- return s
- if isinstance(s, six.memoryview):
- return bytes(s)
- if isinstance(s, Promise):
- return six.text_type(s).encode(encoding, errors)
- if not isinstance(s, six.string_types):
- try:
- if six.PY3:
- return six.text_type(s).encode(encoding)
- else:
- return bytes(s)
- except UnicodeEncodeError:
- if isinstance(s, Exception):
- # An Exception subclass containing non-ASCII data that doesn't
- # know how to print itself properly. We shouldn't raise a
- # further exception.
- return b' '.join([force_bytes(arg, encoding, strings_only,
- errors) for arg in s])
- return six.text_type(s).encode(encoding, errors)
- else:
- return s.encode(encoding, errors)
-
def force_unicode(s, encoding='utf-8', strings_only=False, errors='strict'):
"""
Similar to smart_unicode, except that lazy instances are resolved to
diff --git a/django/utils/formats.py b/django/utils/formats.py
index 1796b64..e283490 100644
--- a/django/utils/formats.py
+++ b/django/utils/formats.py
@@ -15,24 +15,6 @@ from django.utils.translation import get_language, to_locale, check_for_language
_format_cache = {}
_format_modules_cache = {}
-FORMAT_SETTINGS = frozenset([
- 'DECIMAL_SEPARATOR',
- 'THOUSAND_SEPARATOR',
- 'NUMBER_GROUPING',
- 'FIRST_DAY_OF_WEEK',
- 'MONTH_DAY_FORMAT',
- 'TIME_FORMAT',
- 'DATE_FORMAT',
- 'DATETIME_FORMAT',
- 'SHORT_DATE_FORMAT',
- 'SHORT_DATETIME_FORMAT',
- 'YEAR_MONTH_FORMAT',
- 'DATE_INPUT_FORMATS',
- 'TIME_INPUT_FORMATS',
- 'DATETIME_INPUT_FORMATS',
-])
-
-
def reset_format_cache():
"""Clear any cached formats.
@@ -84,8 +66,6 @@ def get_format(format_type, lang=None, use_l10n=None):
be localized (or not), overriding the value of settings.USE_L10N.
"""
format_type = smart_str(format_type)
- if format_type not in FORMAT_SETTINGS:
- return format_type
if use_l10n or (use_l10n is None and settings.USE_L10N):
if lang is None:
lang = get_language()
diff --git a/django/utils/http.py b/django/utils/http.py
index 8185fc4..b8c81a8 100644
--- a/django/utils/http.py
+++ b/django/utils/http.py
@@ -8,7 +8,7 @@ import unicodedata
from email.utils import formatdate
from django.utils.datastructures import MultiValueDict
-from django.utils.encoding import smart_str, force_unicode, force_text
+from django.utils.encoding import smart_str, force_unicode
from django.utils.functional import allow_lazy
ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"')
@@ -237,16 +237,8 @@ def is_safe_url(url, host=None):
url = url.strip()
if not url:
return False
- try:
- url = force_text(url)
- except UnicodeDecodeError:
- return False
- # Chrome treats \ completely as / in paths but it could be part of some
- # basic auth credentials so we need to check both URLs.
- return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
-
-
-def _is_safe_url(url, host):
+ # Chrome treats \ completely as /
+ url = url.replace('\\', '/')
# Chrome considers any URL with more than two slashes to be absolute, but
# urlaprse is not so flexible. Treat any url with three slashes as unsafe.
if url.startswith('///'):
diff --git a/docs/conf.py b/docs/conf.py
index 7f96d7d..d3679fe 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -168,10 +168,7 @@ html_additional_pages = {}
#html_split_index = False
# If true, links to the reST sources are added to the pages.
-html_show_sourcelink = False
-
-# Do not ship a copy of the sources
-html_copy_source = False
+#html_show_sourcelink = True
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
#html_show_sphinx = True
diff --git a/docs/man/django-admin.1 b/docs/man/django-admin.1
index 602793f..1f693b8 100644
--- a/docs/man/django-admin.1
+++ b/docs/man/django-admin.1
@@ -1,8 +1,8 @@
-.TH "django-admin" "1" "March 2008" "Django Project" ""
+.TH "django-admin.py" "1" "March 2008" "Django Project" ""
.SH "NAME"
-django\-admin \- Utility script for the Django Web framework
+django\-admin.py \- Utility script for the Django Web framework
.SH "SYNOPSIS"
-.B django\-admin
+.B django\-admin.py
.I <action>
.B [options]
.sp
diff --git a/docs/topics/auth.txt b/docs/topics/auth.txt
index 5dedb54..23a4a0c 100644
--- a/docs/topics/auth.txt
+++ b/docs/topics/auth.txt
@@ -538,42 +538,12 @@ However, Django can only upgrade passwords that use algorithms mentioned in
sure never to *remove* entries from this list. If you do, users using un-
mentioned algorithms won't be able to upgrade.
-Be aware that if all the passwords in your database aren't encoded in the
-default hasher's algorithm, you may be vulnerable to a user enumeration timing
-attack due to a difference between the duration of a login request for a user
-with a password encoded in a non-default algorithm and the duration of a login
-request for a nonexistent user (which runs the default hasher). You may be able
-to mitigate this by upgrading older password hashes.
-
.. _sha1: http://en.wikipedia.org/wiki/SHA1
.. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2
.. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf
.. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt
.. _py-bcrypt: http://pypi.python.org/pypi/py-bcrypt/
-.. _write-your-own-password-hasher:
-
-Writing your own hasher
------------------------
-
-.. versionadded:: 1.8.10
-
-If you write your own password hasher that contains a work factor such as a
-number of iterations, you should implement a
-``harden_runtime(self, password, encoded)`` method to bridge the runtime gap
-between the work factor supplied in the ``encoded`` password and the default
-work factor of the hasher. This prevents a user enumeration timing attack due
-to difference between a login request for a user with a password encoded in an
-older number of iterations and a nonexistent user (which runs the default
-hasher's default number of iterations).
-
-Taking PBKDF2 as example, if ``encoded`` contains 20,000 iterations and the
-hasher's default ``iterations`` is 30,000, the method should run ``password``
-through another 10,000 iterations of PBKDF2.
-
-If your hasher doesn't have a work factor, implement the method as a no-op
-(``pass``).
-
Anonymous users
---------------
diff --git a/tests/modeltests/validation/tests.py b/tests/modeltests/validation/tests.py
index dc6d4ef..3078089 100644
--- a/tests/modeltests/validation/tests.py
+++ b/tests/modeltests/validation/tests.py
@@ -87,7 +87,7 @@ class BaseModelValidationTests(ValidationTestCase):
@verify_exists_urls(existing_urls=())
def test_correct_https_url_but_nonexisting(self):
- mtv = ModelToValidate(number=10, name='Some Name', url_verify='https://www.example.invalid/')
+ mtv = ModelToValidate(number=10, name='Some Name', url_verify='https://www.example.com/')
self.assertFieldFailsValidationWithMessage(mtv.full_clean, 'url_verify', [u'This URL appears to be a broken link.'])
def test_text_greater_that_charfields_max_length_raises_erros(self):
diff --git a/tests/regressiontests/i18n/tests.py b/tests/regressiontests/i18n/tests.py
index f8398ee..99a55bd 100644
--- a/tests/regressiontests/i18n/tests.py
+++ b/tests/regressiontests/i18n/tests.py
@@ -817,9 +817,6 @@ class MiscTests(TestCase):
self.assertEqual(t_plur.render(Context({'percent': 42, 'num': 1})), u'42% stellt 1 Objekt dar')
self.assertEqual(t_plur.render(Context({'percent': 42, 'num': 4})), u'42% stellt 4 Objekte dar')
- def test_format_arbitrary_settings(self):
- self.assertEqual(get_format('DEBUG'), 'DEBUG')
-
class ResolutionOrderI18NTests(TestCase):
diff --git a/tests/regressiontests/utils/http.py b/tests/regressiontests/utils/http.py
index 37aaf3e..8245a7e 100644
--- a/tests/regressiontests/utils/http.py
+++ b/tests/regressiontests/utils/http.py
@@ -1,5 +1,3 @@
-# -*- encoding: utf-8 -*-
-from __future__ import unicode_literals
import sys
from django.utils import http
@@ -113,12 +111,3 @@ class TestUtilsHttp(unittest.TestCase):
'//testserver/',
'/url%20with%20spaces/'):
self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
-
- # Check binary URLs, regression tests for #26308
- self.assertTrue(
- http.is_safe_url(b'https://testserver/', host='testserver'),
- "binary URLs should be allowed on Python 2"
- )
- self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver'))
- self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver'))
- self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list