From 3dc8023a7b286d55ee4351c9fa90f2bc4fb79caa Mon Sep 17 00:00:00 2001
From: Marti Raudsepp <marti@juffo.org>
Date: Mon, 24 Oct 2016 15:22:00 -0400
Subject: Fixed CVE-2016-9013 -- Generated a random database user password when
 running tests on Oracle.

This is a security fix.
---
 django/db/backends/oracle/creation.py | 10 +++++++---
 docs/ref/settings.txt                 |  7 ++++++-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/django/db/backends/oracle/creation.py b/django/db/backends/oracle/creation.py
index 46d38d9..84bfd4d 100644
--- a/django/db/backends/oracle/creation.py
+++ b/django/db/backends/oracle/creation.py
@@ -4,11 +4,11 @@ import time
 from django.conf import settings
 from django.db.backends.creation import BaseDatabaseCreation
 from django.db.utils import DatabaseError
+from django.utils.crypto import get_random_string
 from django.utils.six.moves import input
 
 
 TEST_DATABASE_PREFIX = 'test_'
-PASSWORD = 'Im_a_lumberjack'
 
 
 class DatabaseCreation(BaseDatabaseCreation):
@@ -276,7 +276,7 @@ class DatabaseCreation(BaseDatabaseCreation):
         """
         settings_dict = self.connection.settings_dict
         val = settings_dict['TEST'].get(key, default)
-        if val is None:
+        if val is None and prefixed:
             val = TEST_DATABASE_PREFIX + settings_dict[prefixed]
         return val
 
@@ -293,7 +293,11 @@ class DatabaseCreation(BaseDatabaseCreation):
         return self._test_settings_get('USER', prefixed='USER')
 
     def _test_database_passwd(self):
-        return self._test_settings_get('PASSWORD', default=PASSWORD)
+        password = self._test_settings_get('PASSWORD')
+        if password is None and self._test_user_create():
+            # Oracle passwords are limited to 30 chars and can't contain symbols.
+            password = get_random_string(length=30)
+        return password
 
     def _test_database_tblspace(self):
         return self._test_settings_get('TBLSPACE', prefixed='NAME')
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 17d0830..8da2984 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -767,7 +767,12 @@ Default: ``None``
 This is an Oracle-specific setting.
 
 The password to use when connecting to the Oracle database that will be used
-when running tests. If not provided, Django will use a hardcoded default value.
+when running tests. If not provided, Django will generate a random password.
+
+.. versionchanged:: 1.11
+
+    Older versions used a hardcoded default password. This was also changed
+    in 1.10.3, 1.9.11, and 1.8.16 to fix possible security implications.
 
 .. setting:: TEST_TBLSPACE