Package: python-django | Debian Sources

Package: python-django / 1.2.3-3+squeeze10

Metadata

Package	Version	Patches format
python-django	1.2.3-3+squeeze10	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
01_disable_url_verify_regression_tests.diff \| (download)	tests/regressiontests/forms/fields.py \| 27 0 + 27 - 0 ! 1 file changed, 27 deletions(-)	---
03_manpage.diff \| (download)	docs/man/django-admin.1 \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	---
04_hyphen manpage.diff \| (download)	docs/man/django-admin.1 \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	---
05_fix_regression_tests.diff \| (download)	tests/regressiontests/admin_views/tests.py (revision 13750) \| 19 11 + 8 - 0 ! 1 file changed, 11 insertions(+), 8 deletions(-)	adjust admindoctests to run after r13728. also match comments to tests and add test that was there in comment form only.
06_fix_regression_tests.diff \| (download)	tests/regressiontests/admin_views/tests.py (revision 13764) \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	a second part of patch to update admindocstest to fix test suite. Source: upstream, http://code.djangoproject.com/changeset/13764
07_disable_url_verify_model_tests.diff \| (download)	tests/modeltests/validation/tests.py \| 8 0 + 8 - 0 ! 1 file changed, 8 deletions(-)	---
08_fix_info_leakage.diff \| (download)	django/contrib/admin/options.py \| 28 27 + 1 - 0 ! django/contrib/admin/views/main.py \| 8 7 + 1 - 0 ! tests/regressiontests/admin_views/models.py \| 7 5 + 2 - 0 ! tests/regressiontests/admin_views/tests.py \| 5 5 + 0 - 0 ! 4 files changed, 44 insertions(+), 4 deletions(-)	fix information leakage in django administrative interface http://www.djangoproject.com/weblog/2010/dec/22/security/
09_fix_dos_password_reset.diff \| (download)	django/contrib/auth/tests/tokens.py \| 5 5 + 0 - 0 ! django/contrib/auth/urls.py \| 4 2 + 2 - 0 ! django/utils/http.py \| 7 6 + 1 - 0 ! 3 files changed, 13 insertions(+), 3 deletions(-)	fix denial-of-service attack in password-reset mechanism
10_fix_csrf_ajax.diff \| (download)	django/middleware/csrf.py \| 32 6 + 26 - 0 ! docs/ref/contrib/csrf.txt \| 63 41 + 22 - 0 ! tests/regressiontests/csrf_tests/tests.py \| 6 3 + 3 - 0 ! 3 files changed, 50 insertions(+), 51 deletions(-)	fix flaw in csrf handling
11_fix_admin_file_widget.diff \| (download)	django/contrib/admin/widgets.py \| 2 1 + 1 - 0 ! tests/regressiontests/admin_widgets/tests.py \| 16 16 + 0 - 0 ! 2 files changed, 17 insertions(+), 1 deletion(-)	fix potential xss in file field rendering
12_fix_file_session_backend.diff \| (download)	django/contrib/sessions/backends/file.py \| 6 4 + 2 - 0 ! django/contrib/sessions/tests.py \| 11 11 + 0 - 0 ! 2 files changed, 15 insertions(+), 2 deletions(-)	fix directory-traversal vulnerability on windows
13_fix_safety_issue_with_session_data.diff \| (download)	django/contrib/sessions/backends/cache.py \| 10 6 + 4 - 0 ! django/contrib/sessions/backends/cached_db.py \| 12 8 + 4 - 0 ! 2 files changed, 14 insertions(+), 8 deletions(-)	avoid manipulation of session data via the cache Corrected an issue which could allow attackers to manipulate session data using the cache.
14_fix_dos_with_urlfield.diff \| (download)	django/db/models/fields/__init__.py \| 2 1 + 1 - 0 ! docs/ref/models/fields.txt \| 8 7 + 1 - 0 ! 2 files changed, 8 insertions(+), 2 deletions(-)	fix denial of service attack via urlfield Note that changes on tests/modeltests/validation/tests.py have been dropped as they are already present in the patch
15_fix_spoofing_issue_with_x_forwarded_host.diff \| (download)	django/conf/global_settings.py \| 2 2 + 0 - 0 ! django/http/__init__.py \| 3 2 + 1 - 0 ! docs/ref/request-response.txt \| 11 5 + 6 - 0 ! docs/ref/settings.txt \| 13 13 + 0 - 0 ! 4 files changed, 22 insertions(+), 7 deletions(-)	add protection against spoofing of x_forwarded_host headers Note that the non-regression test has been dropped as it didn't apply to the version of Django in Debian stable.
16_fix_cross_site_scripting_in_authentication.diff \| (download)	django/http/__init__.py \| 21 12 + 9 - 0 ! tests/regressiontests/httpwrappers/tests.py \| 17 16 + 1 - 0 ! 2 files changed, 28 insertions(+), 10 deletions(-)	fix cross site scripting issue in authentication views
17_fix_dos_in_image_validation.diff \| (download)	django/forms/fields.py \| 18 4 + 14 - 0 ! 1 file changed, 4 insertions(+), 14 deletions(-)	fix denial of service in image validation
18_fix_dos_via_get_image_dimensions.diff \| (download)	django/core/files/images.py \| 7 6 + 1 - 0 ! 1 file changed, 6 insertions(+), 1 deletion(-)	fix denial of service via get_image_dimensions()
19_fix_host_header_poisoning.diff \| (download)	django/contrib/auth/tests/urls.py \| 2 2 + 0 - 0 ! django/contrib/auth/tests/views.py \| 39 39 + 0 - 0 ! django/contrib/auth/views.py \| 2 1 + 1 - 0 ! django/http/__init__.py \| 5 5 + 0 - 0 ! 4 files changed, 47 insertions(+), 1 deletion(-)	fix host header poisoning
20_fix_get_host.diff \| (download)	django/http/__init__.py \| 4 3 + 1 - 0 ! 1 file changed, 3 insertions(+), 1 deletion(-)	fixed a security issue in get_host Bug-Debian: http://bugs.debian.org/696535
21_fix_redirect_poisoning.diff \| (download)	django/contrib/auth/views.py \| 47 26 + 21 - 0 ! django/contrib/comments/views/comments.py \| 11 4 + 7 - 0 ! django/contrib/comments/views/moderation.py \| 7 4 + 3 - 0 ! django/contrib/comments/views/utils.py \| 10 6 + 4 - 0 ! django/utils/http.py \| 13 13 + 0 - 0 ! django/views/i18n.py \| 11 6 + 5 - 0 ! tests/regressiontests/comment_tests/tests/comment_view_tests.py \| 7 7 + 0 - 0 ! tests/regressiontests/comment_tests/tests/moderation_view_tests.py \| 87 84 + 3 - 0 ! tests/regressiontests/views/tests/i18n.py \| 17 16 + 1 - 0 ! 9 files changed, 166 insertions(+), 44 deletions(-)	ensure that redirects can't be poisoned by malicious users Bug: https://code.djangoproject.com/ticket/18856 Bug-Debian: http://bugs.debian.org/696535
22_add_allowed_hosts.diff \| (download)	django/conf/global_settings.py \| 4 4 + 0 - 0 ! django/conf/project_template/settings.py \| 4 4 + 0 - 0 ! django/http/__init__.py \| 54 49 + 5 - 0 ! django/test/utils.py \| 6 6 + 0 - 0 ! docs/ref/settings.txt \| 36 36 + 0 - 0 ! 5 files changed, 99 insertions(+), 5 deletions(-)	added allowed_hosts setting for http host header validation. Bug-Debian: http://bugs.debian.org/701186
23_restrict_xml_deserializer.diff \| (download)	django/core/serializers/xml_serializer.py \| 94 93 + 1 - 0 ! tests/regressiontests/serializers_regress/tests.py \| 15 15 + 0 - 0 ! 2 files changed, 108 insertions(+), 1 deletion(-)	restrict the xml deserializer to prevent network and entity-expansion dos attacks. Bug-Debian: http://bugs.debian.org/701186
24_check_perms_admin_history_view.diff \| (download)	django/contrib/admin/options.py \| 10 8 + 2 - 0 ! tests/regressiontests/admin_views/tests.py \| 16 16 + 0 - 0 ! 2 files changed, 24 insertions(+), 2 deletions(-)	check object permissions on admin history view. Patch by Russell Keith-Magee. Bug-Debian: http://bugs.debian.org/701186
25_limit_number_of_forms_in_formset.diff \| (download)	django/forms/formsets.py \| 12 10 + 2 - 0 ! docs/topics/forms/formsets.txt \| 6 4 + 2 - 0 ! docs/topics/forms/modelforms.txt \| 4 2 + 2 - 0 ! tests/regressiontests/forms/formsets.py \| 2 1 + 1 - 0 ! 4 files changed, 17 insertions(+), 7 deletions(-)	add a default limit to the maximum number of forms in a formset.
26_is_safe_url 1.4.diff \| (download)	django/contrib/auth/tests/views.py \| 3 2 + 1 - 0 ! django/utils/http.py \| 7 4 + 3 - 0 ! 2 files changed, 6 insertions(+), 4 deletions(-)	possible xss via ``is_safe_url`` A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the ``login`` view in ``django.contrib.auth.views``, which accepts such a parameter to determine where to send a user following successful login. A utility function -- ``django.utils.http.is_safe_url()`` -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings. The ``is_safe_url()`` function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as ``javascript:``. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response. To remedy this issue, the ``is_safe_url()`` function will be modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.
ssi tag 1.2.diff \| (download)	django/template/defaulttags.py \| 2 2 + 0 - 0 ! tests/regressiontests/templates/templates/ssi_include.html \| 1 1 + 0 - 0 ! tests/regressiontests/templates/tests.py \| 32 32 + 0 - 0 ! 3 files changed, 35 insertions(+)	directory traversal with ``ssi`` template tag Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``. This patch was modified by Debian to port it to the 1.2 Django release, which is unsupported by upstream.
password dos.diff \| (download)	django/contrib/auth/forms.py \| 22 13 + 9 - 0 ! django/contrib/auth/models.py \| 5 4 + 1 - 0 ! django/contrib/auth/tests/basic.py \| 5 5 + 0 - 0 ! 3 files changed, 22 insertions(+), 10 deletions(-)	ensure that passwords are never long enough for a dos. * Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch for modern Django. Unfortuantely 1.2.x is no loger supported upstream and the code has changed substatially in the interim; this is a loose adaptation of the 1.4.x patch.
CVE 2014 0472.patch \| (download)	django/core/urlresolvers.py \| 22 21 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/nonimported_module.py \| 3 3 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/tests.py \| 22 22 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 1 1 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 3 3 + 0 - 0 ! 5 files changed, 50 insertions(+), 1 deletion(-)	fix unexpected code execution using reverse()
CVE 2014 0472 regression.patch \| (download)	django/core/urlresolvers.py \| 4 4 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 6 5 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 10 10 + 0 - 0 ! 3 files changed, 19 insertions(+), 1 deletion(-)	restored the ability to reverse views created using functools.partial
CVE 2014 0473.patch \| (download)	django/middleware/cache.py \| 10 9 + 1 - 0 ! django/utils/cache.py \| 10 10 + 0 - 0 ! 2 files changed, 19 insertions(+), 1 deletion(-)	prevent leaking the csrf token through caching. Django includes both a caching framework and a system for preventing cross-site request forgery (CSRF) attacks. The CSRF-protection system is based on a random nonce sent to the client in a cookie which must be sent by the client on future requests, and in forms a hidden value which must be submitted back with the form. The caching framework includes an option to cache responses to anonymous (i.e., unauthenticated) clients. When the first anonymous request to a given page was by a client which did not have a CSRF cookie, the cache framework will also cache the CSRF cookie, and serve the same nonce to other anonymous clients who do not have a CSRF cookie. This allows an attacker to obtain a valid CSRF cookie value and perform attacks which bypass the check for the cookie. To remedy this, the caching framework will no longer cache such responses. The heuristic for this will be: 1. If the incoming request did not submit any cookies, and 2. The response did send one or more cookies, and 3. The ``Vary: Cookie`` header is set on the response, then the response will not be cached.
CVE 2014 0474.patch \| (download)	django/db/models/fields/__init__.py \| 12 12 + 0 - 0 ! docs/howto/custom-model-fields.txt \| 10 10 + 0 - 0 ! docs/ref/databases.txt \| 16 16 + 0 - 0 ! docs/ref/models/querysets.txt \| 10 10 + 0 - 0 ! docs/topics/db/sql.txt \| 10 10 + 0 - 0 ! tests/regressiontests/model_fields/tests.py \| 89 88 + 1 - 0 ! 6 files changed, 146 insertions(+), 1 deletion(-)	fixed queries that may return unexpected results on mysql due to typecasting.
CVE 2014 1418.patch \| (download)	django/core/handlers/base.py \| 2 0 + 2 - 0 ! django/http/utils.py \| 50 0 + 50 - 0 ! 2 files changed, 52 deletions(-)	caches may be allowed to store and serve private data (cve-2014-1418) In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests
CVE 2014 3730.patch \| (download)	django/contrib/auth/tests/views.py \| 2 2 + 0 - 0 ! django/utils/http.py \| 12 12 + 0 - 0 ! 2 files changed, 14 insertions(+)	malformed urls from user input incorrectly validated (cve-2014-3730) The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. . Django relies on user input in some cases (e.g. django.contrib.auth.views.login, django.contrib.comments, and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.util.http.is_safe_url()) did not correctly validate some malformed URLs, such as http:\\\djangoproject.com, which are accepted by some browsers with more liberal URL parsing. . To remedy this, the validation in is_safe_url() has been tightened to be able to handle and correctly validate these malformed URLs.

Patch	File delta	Description
01_disable_url_verify_regression_tests.diff \| (download)	tests/regressiontests/forms/fields.py \| 27 0 + 27 - 0 ! 1 file changed, 27 deletions(-)	---
03_manpage.diff \| (download)	docs/man/django-admin.1 \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	---
04_hyphen manpage.diff \| (download)	docs/man/django-admin.1 \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	---
05_fix_regression_tests.diff \| (download)	tests/regressiontests/admin_views/tests.py (revision 13750) \| 19 11 + 8 - 0 ! 1 file changed, 11 insertions(+), 8 deletions(-)	adjust admindoctests to run after r13728. also match comments to tests and add test that was there in comment form only.
06_fix_regression_tests.diff \| (download)	tests/regressiontests/admin_views/tests.py (revision 13764) \| 4 2 + 2 - 0 ! 1 file changed, 2 insertions(+), 2 deletions(-)	a second part of patch to update admindocstest to fix test suite. Source: upstream, http://code.djangoproject.com/changeset/13764
07_disable_url_verify_model_tests.diff \| (download)	tests/modeltests/validation/tests.py \| 8 0 + 8 - 0 ! 1 file changed, 8 deletions(-)	---
08_fix_info_leakage.diff \| (download)	django/contrib/admin/options.py \| 28 27 + 1 - 0 ! django/contrib/admin/views/main.py \| 8 7 + 1 - 0 ! tests/regressiontests/admin_views/models.py \| 7 5 + 2 - 0 ! tests/regressiontests/admin_views/tests.py \| 5 5 + 0 - 0 ! 4 files changed, 44 insertions(+), 4 deletions(-)	fix information leakage in django administrative interface http://www.djangoproject.com/weblog/2010/dec/22/security/
09_fix_dos_password_reset.diff \| (download)	django/contrib/auth/tests/tokens.py \| 5 5 + 0 - 0 ! django/contrib/auth/urls.py \| 4 2 + 2 - 0 ! django/utils/http.py \| 7 6 + 1 - 0 ! 3 files changed, 13 insertions(+), 3 deletions(-)	fix denial-of-service attack in password-reset mechanism
10_fix_csrf_ajax.diff \| (download)	django/middleware/csrf.py \| 32 6 + 26 - 0 ! docs/ref/contrib/csrf.txt \| 63 41 + 22 - 0 ! tests/regressiontests/csrf_tests/tests.py \| 6 3 + 3 - 0 ! 3 files changed, 50 insertions(+), 51 deletions(-)	fix flaw in csrf handling
11_fix_admin_file_widget.diff \| (download)	django/contrib/admin/widgets.py \| 2 1 + 1 - 0 ! tests/regressiontests/admin_widgets/tests.py \| 16 16 + 0 - 0 ! 2 files changed, 17 insertions(+), 1 deletion(-)	fix potential xss in file field rendering
12_fix_file_session_backend.diff \| (download)	django/contrib/sessions/backends/file.py \| 6 4 + 2 - 0 ! django/contrib/sessions/tests.py \| 11 11 + 0 - 0 ! 2 files changed, 15 insertions(+), 2 deletions(-)	fix directory-traversal vulnerability on windows
13_fix_safety_issue_with_session_data.diff \| (download)	django/contrib/sessions/backends/cache.py \| 10 6 + 4 - 0 ! django/contrib/sessions/backends/cached_db.py \| 12 8 + 4 - 0 ! 2 files changed, 14 insertions(+), 8 deletions(-)	avoid manipulation of session data via the cache Corrected an issue which could allow attackers to manipulate session data using the cache.
14_fix_dos_with_urlfield.diff \| (download)	django/db/models/fields/__init__.py \| 2 1 + 1 - 0 ! docs/ref/models/fields.txt \| 8 7 + 1 - 0 ! 2 files changed, 8 insertions(+), 2 deletions(-)	fix denial of service attack via urlfield Note that changes on tests/modeltests/validation/tests.py have been dropped as they are already present in the patch
15_fix_spoofing_issue_with_x_forwarded_host.diff \| (download)	django/conf/global_settings.py \| 2 2 + 0 - 0 ! django/http/__init__.py \| 3 2 + 1 - 0 ! docs/ref/request-response.txt \| 11 5 + 6 - 0 ! docs/ref/settings.txt \| 13 13 + 0 - 0 ! 4 files changed, 22 insertions(+), 7 deletions(-)	add protection against spoofing of x_forwarded_host headers Note that the non-regression test has been dropped as it didn't apply to the version of Django in Debian stable.
16_fix_cross_site_scripting_in_authentication.diff \| (download)	django/http/__init__.py \| 21 12 + 9 - 0 ! tests/regressiontests/httpwrappers/tests.py \| 17 16 + 1 - 0 ! 2 files changed, 28 insertions(+), 10 deletions(-)	fix cross site scripting issue in authentication views
17_fix_dos_in_image_validation.diff \| (download)	django/forms/fields.py \| 18 4 + 14 - 0 ! 1 file changed, 4 insertions(+), 14 deletions(-)	fix denial of service in image validation
18_fix_dos_via_get_image_dimensions.diff \| (download)	django/core/files/images.py \| 7 6 + 1 - 0 ! 1 file changed, 6 insertions(+), 1 deletion(-)	fix denial of service via get_image_dimensions()
19_fix_host_header_poisoning.diff \| (download)	django/contrib/auth/tests/urls.py \| 2 2 + 0 - 0 ! django/contrib/auth/tests/views.py \| 39 39 + 0 - 0 ! django/contrib/auth/views.py \| 2 1 + 1 - 0 ! django/http/__init__.py \| 5 5 + 0 - 0 ! 4 files changed, 47 insertions(+), 1 deletion(-)	fix host header poisoning
20_fix_get_host.diff \| (download)	django/http/__init__.py \| 4 3 + 1 - 0 ! 1 file changed, 3 insertions(+), 1 deletion(-)	fixed a security issue in get_host Bug-Debian: http://bugs.debian.org/696535
21_fix_redirect_poisoning.diff \| (download)	django/contrib/auth/views.py \| 47 26 + 21 - 0 ! django/contrib/comments/views/comments.py \| 11 4 + 7 - 0 ! django/contrib/comments/views/moderation.py \| 7 4 + 3 - 0 ! django/contrib/comments/views/utils.py \| 10 6 + 4 - 0 ! django/utils/http.py \| 13 13 + 0 - 0 ! django/views/i18n.py \| 11 6 + 5 - 0 ! tests/regressiontests/comment_tests/tests/comment_view_tests.py \| 7 7 + 0 - 0 ! tests/regressiontests/comment_tests/tests/moderation_view_tests.py \| 87 84 + 3 - 0 ! tests/regressiontests/views/tests/i18n.py \| 17 16 + 1 - 0 ! 9 files changed, 166 insertions(+), 44 deletions(-)	ensure that redirects can't be poisoned by malicious users Bug: https://code.djangoproject.com/ticket/18856 Bug-Debian: http://bugs.debian.org/696535
22_add_allowed_hosts.diff \| (download)	django/conf/global_settings.py \| 4 4 + 0 - 0 ! django/conf/project_template/settings.py \| 4 4 + 0 - 0 ! django/http/__init__.py \| 54 49 + 5 - 0 ! django/test/utils.py \| 6 6 + 0 - 0 ! docs/ref/settings.txt \| 36 36 + 0 - 0 ! 5 files changed, 99 insertions(+), 5 deletions(-)	added allowed_hosts setting for http host header validation. Bug-Debian: http://bugs.debian.org/701186
23_restrict_xml_deserializer.diff \| (download)	django/core/serializers/xml_serializer.py \| 94 93 + 1 - 0 ! tests/regressiontests/serializers_regress/tests.py \| 15 15 + 0 - 0 ! 2 files changed, 108 insertions(+), 1 deletion(-)	restrict the xml deserializer to prevent network and entity-expansion dos attacks. Bug-Debian: http://bugs.debian.org/701186
24_check_perms_admin_history_view.diff \| (download)	django/contrib/admin/options.py \| 10 8 + 2 - 0 ! tests/regressiontests/admin_views/tests.py \| 16 16 + 0 - 0 ! 2 files changed, 24 insertions(+), 2 deletions(-)	check object permissions on admin history view. Patch by Russell Keith-Magee. Bug-Debian: http://bugs.debian.org/701186
25_limit_number_of_forms_in_formset.diff \| (download)	django/forms/formsets.py \| 12 10 + 2 - 0 ! docs/topics/forms/formsets.txt \| 6 4 + 2 - 0 ! docs/topics/forms/modelforms.txt \| 4 2 + 2 - 0 ! tests/regressiontests/forms/formsets.py \| 2 1 + 1 - 0 ! 4 files changed, 17 insertions(+), 7 deletions(-)	add a default limit to the maximum number of forms in a formset.
26_is_safe_url 1.4.diff \| (download)	django/contrib/auth/tests/views.py \| 3 2 + 1 - 0 ! django/utils/http.py \| 7 4 + 3 - 0 ! 2 files changed, 6 insertions(+), 4 deletions(-)	possible xss via ``is_safe_url`` A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the ``login`` view in ``django.contrib.auth.views``, which accepts such a parameter to determine where to send a user following successful login. A utility function -- ``django.utils.http.is_safe_url()`` -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings. The ``is_safe_url()`` function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as ``javascript:``. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response. To remedy this issue, the ``is_safe_url()`` function will be modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.
ssi tag 1.2.diff \| (download)	django/template/defaulttags.py \| 2 2 + 0 - 0 ! tests/regressiontests/templates/templates/ssi_include.html \| 1 1 + 0 - 0 ! tests/regressiontests/templates/tests.py \| 32 32 + 0 - 0 ! 3 files changed, 35 insertions(+)	directory traversal with ``ssi`` template tag Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``. This patch was modified by Debian to port it to the 1.2 Django release, which is unsupported by upstream.
password dos.diff \| (download)	django/contrib/auth/forms.py \| 22 13 + 9 - 0 ! django/contrib/auth/models.py \| 5 4 + 1 - 0 ! django/contrib/auth/tests/basic.py \| 5 5 + 0 - 0 ! 3 files changed, 22 insertions(+), 10 deletions(-)	ensure that passwords are never long enough for a dos. * Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch for modern Django. Unfortuantely 1.2.x is no loger supported upstream and the code has changed substatially in the interim; this is a loose adaptation of the 1.4.x patch.
CVE 2014 0472.patch \| (download)	django/core/urlresolvers.py \| 22 21 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/nonimported_module.py \| 3 3 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/tests.py \| 22 22 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 1 1 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 3 3 + 0 - 0 ! 5 files changed, 50 insertions(+), 1 deletion(-)	fix unexpected code execution using reverse()
CVE 2014 0472 regression.patch \| (download)	django/core/urlresolvers.py \| 4 4 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 6 5 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 10 10 + 0 - 0 ! 3 files changed, 19 insertions(+), 1 deletion(-)	restored the ability to reverse views created using functools.partial
CVE 2014 0473.patch \| (download)	django/middleware/cache.py \| 10 9 + 1 - 0 ! django/utils/cache.py \| 10 10 + 0 - 0 ! 2 files changed, 19 insertions(+), 1 deletion(-)	prevent leaking the csrf token through caching. Django includes both a caching framework and a system for preventing cross-site request forgery (CSRF) attacks. The CSRF-protection system is based on a random nonce sent to the client in a cookie which must be sent by the client on future requests, and in forms a hidden value which must be submitted back with the form. The caching framework includes an option to cache responses to anonymous (i.e., unauthenticated) clients. When the first anonymous request to a given page was by a client which did not have a CSRF cookie, the cache framework will also cache the CSRF cookie, and serve the same nonce to other anonymous clients who do not have a CSRF cookie. This allows an attacker to obtain a valid CSRF cookie value and perform attacks which bypass the check for the cookie. To remedy this, the caching framework will no longer cache such responses. The heuristic for this will be: 1. If the incoming request did not submit any cookies, and 2. The response did send one or more cookies, and 3. The ``Vary: Cookie`` header is set on the response, then the response will not be cached.
CVE 2014 0474.patch \| (download)	django/db/models/fields/__init__.py \| 12 12 + 0 - 0 ! docs/howto/custom-model-fields.txt \| 10 10 + 0 - 0 ! docs/ref/databases.txt \| 16 16 + 0 - 0 ! docs/ref/models/querysets.txt \| 10 10 + 0 - 0 ! docs/topics/db/sql.txt \| 10 10 + 0 - 0 ! tests/regressiontests/model_fields/tests.py \| 89 88 + 1 - 0 ! 6 files changed, 146 insertions(+), 1 deletion(-)	fixed queries that may return unexpected results on mysql due to typecasting.
CVE 2014 1418.patch \| (download)	django/core/handlers/base.py \| 2 0 + 2 - 0 ! django/http/utils.py \| 50 0 + 50 - 0 ! 2 files changed, 52 deletions(-)	caches may be allowed to store and serve private data (cve-2014-1418) In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests
CVE 2014 3730.patch \| (download)	django/contrib/auth/tests/views.py \| 2 2 + 0 - 0 ! django/utils/http.py \| 12 12 + 0 - 0 ! 2 files changed, 14 insertions(+)	malformed urls from user input incorrectly validated (cve-2014-3730) The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. . Django relies on user input in some cases (e.g. django.contrib.auth.views.login, django.contrib.comments, and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.util.http.is_safe_url()) did not correctly validate some malformed URLs, such as http:\\\djangoproject.com, which are accepted by some browsers with more liberal URL parsing. . To remedy this, the validation in is_safe_url() has been tightened to be able to handle and correctly validate these malformed URLs.