tests/regressiontests/forms/fields.py | 27 0 + 27 - 0 !
1 file changed, 27 deletions(-)

---

docs/man/django-admin.1 | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

---

docs/man/django-admin.1 | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

tests/regressiontests/admin_views/tests.py (revision 13750) | 19 11 + 8 - 0 !
1 file changed, 11 insertions(+), 8 deletions(-)

 adjust admindoctests to run after r13728. also match comments
  to tests and add test that was there in comment form only.

tests/regressiontests/admin_views/tests.py (revision 13764) | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 a second part of patch to update admindocstest to fix test suite.
Source: upstream, http://code.djangoproject.com/changeset/13764

tests/modeltests/validation/tests.py | 8 0 + 8 - 0 !
1 file changed, 8 deletions(-)

---

django/contrib/admin/options.py | 28 27 + 1 - 0 !
django/contrib/admin/views/main.py | 8 7 + 1 - 0 !
tests/regressiontests/admin_views/models.py | 7 5 + 2 - 0 !
tests/regressiontests/admin_views/tests.py | 5 5 + 0 - 0 !
4 files changed, 44 insertions(+), 4 deletions(-)

 fix information leakage in django administrative interface
 http://www.djangoproject.com/weblog/2010/dec/22/security/

django/contrib/auth/tests/tokens.py | 5 5 + 0 - 0 !
django/contrib/auth/urls.py | 4 2 + 2 - 0 !
django/utils/http.py | 7 6 + 1 - 0 !
3 files changed, 13 insertions(+), 3 deletions(-)

 fix denial-of-service attack in password-reset mechanism

django/middleware/csrf.py | 32 6 + 26 - 0 !
docs/ref/contrib/csrf.txt | 63 41 + 22 - 0 !
tests/regressiontests/csrf_tests/tests.py | 6 3 + 3 - 0 !
3 files changed, 50 insertions(+), 51 deletions(-)

 fix flaw in csrf handling

django/contrib/admin/widgets.py | 2 1 + 1 - 0 !
tests/regressiontests/admin_widgets/tests.py | 16 16 + 0 - 0 !
2 files changed, 17 insertions(+), 1 deletion(-)

 fix potential xss in file field rendering

django/contrib/sessions/backends/file.py | 6 4 + 2 - 0 !
django/contrib/sessions/tests.py | 11 11 + 0 - 0 !
2 files changed, 15 insertions(+), 2 deletions(-)

 fix directory-traversal vulnerability on windows

django/contrib/sessions/backends/cache.py | 10 6 + 4 - 0 !
django/contrib/sessions/backends/cached_db.py | 12 8 + 4 - 0 !
2 files changed, 14 insertions(+), 8 deletions(-)

 avoid manipulation of session data via the cache
 Corrected an issue which could allow attackers to manipulate session data
 using the cache.

django/db/models/fields/__init__.py | 2 1 + 1 - 0 !
docs/ref/models/fields.txt | 8 7 + 1 - 0 !
2 files changed, 8 insertions(+), 2 deletions(-)

 fix denial of service attack via urlfield
 Note that changes on tests/modeltests/validation/tests.py have been
 dropped as they are already present in the patch

django/conf/global_settings.py | 2 2 + 0 - 0 !
django/http/__init__.py | 3 2 + 1 - 0 !
docs/ref/request-response.txt | 11 5 + 6 - 0 !
docs/ref/settings.txt | 13 13 + 0 - 0 !
4 files changed, 22 insertions(+), 7 deletions(-)

 add protection against spoofing of x_forwarded_host headers
 Note that the non-regression test has been dropped as it didn't apply to
 the version of Django in Debian stable.

django/http/__init__.py | 21 12 + 9 - 0 !
tests/regressiontests/httpwrappers/tests.py | 17 16 + 1 - 0 !
2 files changed, 28 insertions(+), 10 deletions(-)

 fix cross site scripting issue in authentication views

django/forms/fields.py | 18 4 + 14 - 0 !
1 file changed, 4 insertions(+), 14 deletions(-)

 fix denial of service in image validation

django/core/files/images.py | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 fix denial of service via get_image_dimensions()

django/contrib/auth/tests/urls.py | 2 2 + 0 - 0 !
django/contrib/auth/tests/views.py | 39 39 + 0 - 0 !
django/contrib/auth/views.py | 2 1 + 1 - 0 !
django/http/__init__.py | 5 5 + 0 - 0 !
4 files changed, 47 insertions(+), 1 deletion(-)

 fix host header poisoning

django/http/__init__.py | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 fixed a security issue in get_host
Bug-Debian: http://bugs.debian.org/696535

django/contrib/auth/views.py | 47 26 + 21 - 0 !
django/contrib/comments/views/comments.py | 11 4 + 7 - 0 !
django/contrib/comments/views/moderation.py | 7 4 + 3 - 0 !
django/contrib/comments/views/utils.py | 10 6 + 4 - 0 !
django/utils/http.py | 13 13 + 0 - 0 !
django/views/i18n.py | 11 6 + 5 - 0 !
tests/regressiontests/comment_tests/tests/comment_view_tests.py | 7 7 + 0 - 0 !
tests/regressiontests/comment_tests/tests/moderation_view_tests.py | 87 84 + 3 - 0 !
tests/regressiontests/views/tests/i18n.py | 17 16 + 1 - 0 !
9 files changed, 166 insertions(+), 44 deletions(-)

 ensure that redirects can't be poisoned by malicious users
Bug: https://code.djangoproject.com/ticket/18856
Bug-Debian: http://bugs.debian.org/696535

django/conf/global_settings.py | 4 4 + 0 - 0 !
django/conf/project_template/settings.py | 4 4 + 0 - 0 !
django/http/__init__.py | 54 49 + 5 - 0 !
django/test/utils.py | 6 6 + 0 - 0 !
docs/ref/settings.txt | 36 36 + 0 - 0 !
5 files changed, 99 insertions(+), 5 deletions(-)

 added allowed_hosts setting for http host header validation.
Bug-Debian: http://bugs.debian.org/701186

django/core/serializers/xml_serializer.py | 94 93 + 1 - 0 !
tests/regressiontests/serializers_regress/tests.py | 15 15 + 0 - 0 !
2 files changed, 108 insertions(+), 1 deletion(-)

 restrict the xml deserializer to prevent network and entity-expansion dos attacks.
Bug-Debian: http://bugs.debian.org/701186
    

django/contrib/admin/options.py | 10 8 + 2 - 0 !
tests/regressiontests/admin_views/tests.py | 16 16 + 0 - 0 !
2 files changed, 24 insertions(+), 2 deletions(-)

 check object permissions on admin history view.
 Patch by Russell Keith-Magee.
Bug-Debian: http://bugs.debian.org/701186
    

django/forms/formsets.py | 12 10 + 2 - 0 !
docs/topics/forms/formsets.txt | 6 4 + 2 - 0 !
docs/topics/forms/modelforms.txt | 4 2 + 2 - 0 !
tests/regressiontests/forms/formsets.py | 2 1 + 1 - 0 !
4 files changed, 17 insertions(+), 7 deletions(-)

 add a default limit to the maximum number of forms in a formset.

django/contrib/auth/tests/views.py | 3 2 + 1 - 0 !
django/utils/http.py | 7 4 + 3 - 0 !
2 files changed, 6 insertions(+), 4 deletions(-)

 possible xss via ``is_safe_url``

A common pattern in Django applications is for a view to accept, via
querystring parameter, a URL to redirect to upon successful completion
of the view's processing. This pattern is used in code bundled with
Django itself; for example, the ``login`` view in
``django.contrib.auth.views``, which accepts such a parameter to
determine where to send a user following successful login.

A utility function -- ``django.utils.http.is_safe_url()`` -- is
provided and used to validate that this URL is on the current host
(either via fully-qualified or relative URL), so as to avoid
potentially dangerous redirects from maliciously-constructed
querystrings.

The ``is_safe_url()`` function works as intended for HTTP and HTTPS
URLs, but due to the manner in which it parses the URL, will permit
redirects to other schemes, such as ``javascript:``. While the Django
project is unaware of any demonstrated ability to perform cross-site
scripting attacks via this mechanism, the potential for such is
sufficient to trigger a security response.

To remedy this issue, the ``is_safe_url()`` function will be modified
to properly recognize and reject URLs which specify a scheme other
than HTTP or HTTPS.

django/template/defaulttags.py | 2 2 + 0 - 0 !
tests/regressiontests/templates/templates/ssi_include.html | 1 1 + 0 - 0 !
tests/regressiontests/templates/tests.py | 32 32 + 0 - 0 !
3 files changed, 35 insertions(+)

 directory traversal with ``ssi`` template tag

Django's template language includes two methods of including and
rendering one template inside another:

1. The ``{% include %}`` tag takes a template name, and uses Django's
   template loading mechanism (which is restricted to the directories
   specified in the ``TEMPLATE_DIRS`` setting, as with any other
   normal template load in Django).

2. The ``{% ssi %}`` tag, which takes a file path and includes that
   file's contents (optionally parsing and rendering it as a
   template).

Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it
represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus
is required, and specifies filesystem locations from which ``ssi`` may
read files.

To remedy this, the ``ssi`` tag will now use Python's
``os.path.abspath`` to determine the absolute path of the file, and
whether it is actually located within a directory permitted by
``ALLOWED_INCLUDE_ROOTS``.

This patch was modified by Debian to port it to the 1.2 Django release,
which is unsupported by upstream.

django/contrib/auth/forms.py | 22 13 + 9 - 0 !
django/contrib/auth/models.py | 5 4 + 1 - 0 !
django/contrib/auth/tests/basic.py | 5 5 + 0 - 0 !
3 files changed, 22 insertions(+), 10 deletions(-)

 ensure that passwords are never long enough for a dos.
 * Limit the password length to 4096 bytes
 * Password hashers will raise a ValueError
 * django.contrib.auth forms will fail validation
 * Document in release notes that this is a backwards incompatible change

Thanks to Josh Wright for the report, and Donald Stufft for the patch for
modern Django.

Unfortuantely 1.2.x is no loger supported upstream and the code has changed
substatially in the interim; this is a loose adaptation of the 1.4.x patch.

django/core/urlresolvers.py | 22 21 + 1 - 0 !
tests/regressiontests/urlpatterns_reverse/nonimported_module.py | 3 3 + 0 - 0 !
tests/regressiontests/urlpatterns_reverse/tests.py | 22 22 + 0 - 0 !
tests/regressiontests/urlpatterns_reverse/urls.py | 1 1 + 0 - 0 !
tests/regressiontests/urlpatterns_reverse/views.py | 3 3 + 0 - 0 !
5 files changed, 50 insertions(+), 1 deletion(-)

 fix unexpected code execution using reverse()

django/core/urlresolvers.py | 4 4 + 0 - 0 !
tests/regressiontests/urlpatterns_reverse/urls.py | 6 5 + 1 - 0 !
tests/regressiontests/urlpatterns_reverse/views.py | 10 10 + 0 - 0 !
3 files changed, 19 insertions(+), 1 deletion(-)

 restored the ability to reverse views created using functools.partial

django/middleware/cache.py | 10 9 + 1 - 0 !
django/utils/cache.py | 10 10 + 0 - 0 !
2 files changed, 19 insertions(+), 1 deletion(-)

 prevent leaking the csrf token through caching.
    
Django includes both a caching framework and a system for preventing
cross-site request forgery (CSRF) attacks. The CSRF-protection system
is based on a random nonce sent to the client in a cookie which must
be sent by the client on future requests, and in forms a hidden value
which must be submitted back with the form.

The caching framework includes an option to cache responses to
anonymous (i.e., unauthenticated) clients.

When the first anonymous request to a given page was by a client which
did not have a CSRF cookie, the cache framework will also cache the
CSRF cookie, and serve the same nonce to other anonymous clients who
do not have a CSRF cookie. This allows an attacker to obtain a valid
CSRF cookie value and perform attacks which bypass the check for the
cookie.

To remedy this, the caching framework will no longer cache such
responses. The heuristic for this will be:

1. If the incoming request did not submit any cookies, and

2. The response did send one or more cookies, and

3. The ``Vary: Cookie`` header is set on the response, then the
   response will not be cached.

django/db/models/fields/__init__.py | 12 12 + 0 - 0 !
docs/howto/custom-model-fields.txt | 10 10 + 0 - 0 !
docs/ref/databases.txt | 16 16 + 0 - 0 !
docs/ref/models/querysets.txt | 10 10 + 0 - 0 !
docs/topics/db/sql.txt | 10 10 + 0 - 0 !
tests/regressiontests/model_fields/tests.py | 89 88 + 1 - 0 !
6 files changed, 146 insertions(+), 1 deletion(-)

 fixed queries that may return unexpected results on mysql due to typecasting.

django/core/handlers/base.py | 2 0 + 2 - 0 !
django/http/utils.py | 50 0 + 50 - 0 !
2 files changed, 52 deletions(-)

 caches may be allowed to store and serve private data (cve-2014-1418)
 In certain situations, Django may allow caches to store private data
 related to a particular session and then serve that data to requests

django/contrib/auth/tests/views.py | 2 2 + 0 - 0 !
django/utils/http.py | 12 12 + 0 - 0 !
2 files changed, 14 insertions(+)

 malformed urls from user input incorrectly validated (cve-2014-3730)
 The validation for redirects did not correctly validate some malformed
 URLs, which are accepted by some browsers. This allows a user to be
 redirected to an unsafe URL unexpectedly.
 .
 Django relies on user input in some cases (e.g.
 django.contrib.auth.views.login, django.contrib.comments, and i18n) to
 redirect the user to an "on success" URL. The security checks for these
 redirects (namely django.util.http.is_safe_url()) did not correctly
 validate some malformed URLs, such as http:\\\djangoproject.com, which
 are accepted by some browsers with more liberal URL parsing.
 .
 To remedy this, the validation in is_safe_url() has been tightened to
 be able to handle and correctly validate these malformed URLs.

tests/regressiontests/forms/error_messages.py | 19 0 + 19 - 0 !
1 file changed, 19 deletions(-)

---

django/contrib/auth/middleware.py | 28 25 + 3 - 0 !
django/contrib/auth/tests/remote_user.py | 18 18 + 0 - 0 !
2 files changed, 43 insertions(+), 3 deletions(-)

---

django/core/urlresolvers.py | 2 2 + 0 - 0 !
tests/regressiontests/urlpatterns_reverse/tests.py | 5 4 + 1 - 0 !
tests/regressiontests/urlpatterns_reverse/urls.py | 3 3 + 0 - 0 !
3 files changed, 9 insertions(+), 1 deletion(-)

 prevented reverse() from generating urls pointing to other hosts
 Backport of made by Raphal Hertzog.

django/contrib/admin/exceptions.py | 6 6 + 0 - 0 !
django/contrib/admin/options.py | 18 18 + 0 - 0 !
django/contrib/admin/views/main.py | 6 5 + 1 - 0 !
tests/regressiontests/admin_views/tests.py | 18 18 + 0 - 0 !
4 files changed, 47 insertions(+), 1 deletion(-)

 prevented data leakage in contrib.admin via query string manipulation
 Patch backported by Thorsten Alteholz and Raphal Hertzog.

django/utils/crypto.py | 45 45 + 0 - 0 !
1 file changed, 45 insertions(+)

 backport get_random_string from django.utils.crypto
 It's needed by on the the following security fixes.

django/core/files/storage.py | 11 5 + 6 - 0 !
docs/howto/custom-file-storage.txt | 12 10 + 2 - 0 !
tests/modeltests/files/models.py | 18 10 + 8 - 0 !
tests/regressiontests/file_storage/tests.py | 36 22 + 14 - 0 !
4 files changed, 47 insertions(+), 30 deletions(-)

---

django/core/servers/basehttp.py | 8 8 + 0 - 0 !
tests/regressiontests/servers/tests.py | 66 65 + 1 - 0 !
2 files changed, 73 insertions(+), 1 deletion(-)

 stripped headers containing underscores to prevent spoofing in wsgi environ.
    
    This is a security fix. Disclosure following shortly.
    
    Thanks to Jedediah Smith for the report.

Patch further backported to Django 1.2 by Raphal Hertzog.

django/utils/http.py | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 fixed is_safe_url() to handle leading whitespace.
    
    This is a security fix. Disclosure following shortly.

django/views/static.py | 10 7 + 3 - 0 !
tests/regressiontests/views/media/long-line.txt | 1 1 + 0 - 0 !
tests/regressiontests/views/tests/static.py | 14 12 + 2 - 0 !
3 files changed, 20 insertions(+), 5 deletions(-)

 prevented views.static.serve() from using large memory on large files.
    
    This is a security fix. Disclosure following shortly.

Patch further backported to Django 1.2 by Raphal Hertzog.

django/http/__init__.py | 15 7 + 8 - 0 !
django/middleware/gzip.py | 20 16 + 4 - 0 !
django/utils/text.py | 34 34 + 0 - 0 !
tests/regressiontests/middleware/tests.py | 90 86 + 4 - 0 !
4 files changed, 143 insertions(+), 16 deletions(-)

 [1.4.x] fixed #24158 -- allowed gzipmiddleware to work with streaming responses
    
    Backport of django.utils.text.compress_sequence and fix for
    django.middleware.gzip.GZipMiddleware when using iterators as
    response.content.

Patch further backported to Django 1.2 by Raphal Hertzog
<hertzog@debian.org>.

django/utils/http.py | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 [patch] [1.4.x] made is_safe_url() reject urls that start with
 control characters.

This is a security fix; disclosure to follow shortly.

[hertzog@debian.org: Backported to 1.2.3. Dropped the non-regression test
which was not available and updated the part applying to
django/utils/http.py]

django/contrib/sessions/backends/cache.py | 6 4 + 2 - 0 !
django/contrib/sessions/backends/cached_db.py | 11 7 + 4 - 0 !
django/contrib/sessions/backends/db.py | 5 3 + 2 - 0 !
django/contrib/sessions/backends/file.py | 7 4 + 3 - 0 !
django/contrib/sessions/tests.py | 50 50 + 0 - 0 !
5 files changed, 68 insertions(+), 11 deletions(-)

 [patch] [1.4.x] fixed #19324 -- avoided creating a session record
 when loading the session.

The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.

This is a security fix; disclosure to follow shortly.

django/core/validators.py | 23 14 + 9 - 0 !
tests/modeltests/validators/tests.py | 15 14 + 1 - 0 !
2 files changed, 28 insertions(+), 10 deletions(-)

 [patch] [1.4.x] prevented newlines from being accepted in some
 validators.

This is a security fix; disclosure to follow shortly.

Thanks to Sjoerd Job Postmus for the report and draft patch.

django/contrib/sessions/backends/base.py | 9 8 + 1 - 0 !
django/contrib/sessions/backends/cached_db.py | 2 1 + 1 - 0 !
django/contrib/sessions/backends/db.py | 2 1 + 1 - 0 !
django/contrib/sessions/backends/file.py | 2 1 + 1 - 0 !
django/contrib/sessions/middleware.py | 45 27 + 18 - 0 !
django/contrib/sessions/tests.py | 38 38 + 0 - 0 !
6 files changed, 76 insertions(+), 22 deletions(-)

 [patch] [1.4.x] fixed dos possiblity in contrib.auth.views.logout()

Refs #20936 -- When logging out/ending a session, don't create a new, empty session.

Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.

This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.

This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.

Backport of 393c0e24223c701edeb8ce7dc9d0f852f0c081ad,
088579638b160f3716dc81d194be70c72743593f, and
2dee853ed4def42b7ef1b3b472b395055543cc00 from master

Thanks Florian Apolloner and Carl Meyer for review.

This is a security fix.

django/utils/formats.py | 21 21 + 0 - 0 !
tests/regressiontests/i18n/tests.py | 4 4 + 0 - 0 !
2 files changed, 25 insertions(+)

---