| author | Danek Duvall <danek.duvall@oracle.com> |
| Tue, 24 Nov 2015 15:23:56 -0800 | |
| changeset 5127 | ef368afc826b |
| permissions | -rw-r--r-- |
|
5127
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
1 |
https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
2 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
3 |
CVE-2015-8213: Fixed settings leak possibility in date template filter |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
4 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
5 |
If an application allows users to specify an unvalidated format for dates |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
6 |
and passes this format to the date filter, e.g. {{
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
7 |
last_updated|date:user_date_format }}, then a malicious user could obtain |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
8 |
any secret in the application's settings by specifying a settings key |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
9 |
instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y". |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
10 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
11 |
To remedy this, the underlying function used by the date template filter, |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
12 |
django.utils.formats.get_format(), now only allows accessing the date/time |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
13 |
formatting settings. |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
14 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
15 |
This is backported from the commit on the 1.7 branch: |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
16 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
17 |
https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172 |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
18 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
19 |
because upstream is no longer maintaining the 1.4 branch. |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
20 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
21 |
--- Django-1.4.22/django/utils/formats.py Tue Aug 18 10:17:02 2015 |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
22 |
+++ Django-1.4.22/django/utils/formats.py Tue Nov 24 15:20:12 2015 |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
23 |
@@ -15,6 +15,25 @@ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
24 |
_format_cache = {}
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
25 |
_format_modules_cache = {}
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
26 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
27 |
+ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
28 |
+FORMAT_SETTINGS = frozenset([ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
29 |
+ 'DECIMAL_SEPARATOR', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
30 |
+ 'THOUSAND_SEPARATOR', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
31 |
+ 'NUMBER_GROUPING', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
32 |
+ 'FIRST_DAY_OF_WEEK', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
33 |
+ 'MONTH_DAY_FORMAT', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
34 |
+ 'TIME_FORMAT', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
35 |
+ 'DATE_FORMAT', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
36 |
+ 'DATETIME_FORMAT', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
37 |
+ 'SHORT_DATE_FORMAT', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
38 |
+ 'SHORT_DATETIME_FORMAT', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
39 |
+ 'YEAR_MONTH_FORMAT', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
40 |
+ 'DATE_INPUT_FORMATS', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
41 |
+ 'TIME_INPUT_FORMATS', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
42 |
+ 'DATETIME_INPUT_FORMATS', |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
43 |
+]) |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
44 |
+ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
45 |
+ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
46 |
def reset_format_cache(): |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
47 |
"""Clear any cached formats. |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
48 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
49 |
@@ -66,6 +85,8 @@ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
50 |
be localized (or not), overriding the value of settings.USE_L10N. |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
51 |
""" |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
52 |
format_type = smart_str(format_type) |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
53 |
+ if format_type not in FORMAT_SETTINGS: |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
54 |
+ return format_type |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
55 |
if use_l10n or (use_l10n is None and settings.USE_L10N): |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
56 |
if lang is None: |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
57 |
lang = get_language() |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
58 |
--- Django-1.4.22/tests/regressiontests/i18n/tests.py.orig Tue Aug 18 10:17:02 2015 |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
59 |
+++ Django-1.4.22/tests/regressiontests/i18n/tests.py Tue Nov 24 15:19:03 2015 |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
60 |
@@ -684,6 +684,10 @@ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
61 |
self.assertEqual(template2.render(context), output2) |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
62 |
self.assertEqual(template3.render(context), output3) |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
63 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
64 |
+ def test_format_arbitrary_settings(self): |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
65 |
+ self.assertEqual(get_format('DEBUG'), 'DEBUG')
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
66 |
+ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
67 |
+ |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
68 |
class MiscTests(TestCase): |
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
69 |
|
|
ef368afc826b
22264635 problem in PYTHON-MOD/DJANGO
Danek Duvall <danek.duvall@oracle.com>
parents:
diff
changeset
|
70 |
def setUp(self): |