File: 0011-Fixed-CVE-2016-9013-Generated-a-random-database-user.patch

package info (click to toggle)
python-django 1.7.11-1%2Bdeb8u3
  • links: PTS, VCS
  • area: main
  • in suites: jessie
  • size: 45,624 kB
  • sloc: python: 171,189; xml: 713; sh: 203; makefile: 199; sql: 11
file content (69 lines) | stat: -rw-r--r-- 2,671 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
 
From 3dc8023a7b286d55ee4351c9fa90f2bc4fb79caa Mon Sep 17 00:00:00 2001
From: Marti Raudsepp <marti@juffo.org>
Date: Mon, 24 Oct 2016 15:22:00 -0400
Subject: Fixed CVE-2016-9013 -- Generated a random database user password when
 running tests on Oracle.

This is a security fix.
---
 django/db/backends/oracle/creation.py | 10 +++++++---
 docs/ref/settings.txt                 |  7 ++++++-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/django/db/backends/oracle/creation.py b/django/db/backends/oracle/creation.py
index 46d38d9..84bfd4d 100644
--- a/django/db/backends/oracle/creation.py
+++ b/django/db/backends/oracle/creation.py
@@ -4,11 +4,11 @@ import time
 from django.conf import settings
 from django.db.backends.creation import BaseDatabaseCreation
 from django.db.utils import DatabaseError
+from django.utils.crypto import get_random_string
 from django.utils.six.moves import input
 
 
 TEST_DATABASE_PREFIX = 'test_'
-PASSWORD = 'Im_a_lumberjack'
 
 
 class DatabaseCreation(BaseDatabaseCreation):
@@ -276,7 +276,7 @@ class DatabaseCreation(BaseDatabaseCreation):
         """
         settings_dict = self.connection.settings_dict
         val = settings_dict['TEST'].get(key, default)
-        if val is None:
+        if val is None and prefixed:
             val = TEST_DATABASE_PREFIX + settings_dict[prefixed]
         return val
 
@@ -293,7 +293,11 @@ class DatabaseCreation(BaseDatabaseCreation):
         return self._test_settings_get('USER', prefixed='USER')
 
     def _test_database_passwd(self):
-        return self._test_settings_get('PASSWORD', default=PASSWORD)
+        password = self._test_settings_get('PASSWORD')
+        if password is None and self._test_user_create():
+            # Oracle passwords are limited to 30 chars and can't contain symbols.
+            password = get_random_string(length=30)
+        return password
 
     def _test_database_tblspace(self):
         return self._test_settings_get('TBLSPACE', prefixed='NAME')
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 17d0830..8da2984 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -767,7 +767,12 @@ Default: ``None``
 This is an Oracle-specific setting.
 
 The password to use when connecting to the Oracle database that will be used
-when running tests. If not provided, Django will use a hardcoded default value.
+when running tests. If not provided, Django will generate a random password.
+
+.. versionchanged:: 1.11
+
+    Older versions used a hardcoded default password. This was also changed
+    in 1.10.3, 1.9.11, and 1.8.16 to fix possible security implications.
 
 .. setting:: TEST_TBLSPACE