File: 03_xss_fix.diff

package info (click to toggle)
python-django 0.95.1-1etch2
  • links: PTS
  • area: main
  • in suites: etch
  • size: 6,344 kB
  • ctags: 3,919
  • sloc: python: 24,083; makefile: 14; sql: 6
file content (21 lines) | stat: -rw-r--r-- 868 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
Closes: http://bugs.debian.org/481164
Comment:
 Upstream patch grabbed from http://code.djangoproject.com/changeset/7528?format=diff&new=7528
 .
 Fixes a cross-scripting vulnerability (CVE-2008-2302).

--- python-django.orig/django/contrib/admin/views/decorators.py (revision 3360)
+++ python-django/django/contrib/admin/views/decorators.py (revision 7528)
@@ -4,4 +4,5 @@
 from django.contrib.auth import authenticate, login
 from django.shortcuts import render_to_response
+from django.utils.html import escape
 from django.utils.translation import gettext_lazy
 import base64, datetime, md5
@@ -23,5 +24,5 @@
     return render_to_response('admin/login.html', {
         'title': _('Log in'),
-        'app_path': request.path,
+        'app_path': escape(request.path),
         'post_data': post_data,
         'error_message': error_message