upstream/oracle/userland-gate: components/python/django/patches/CVE-2016-2512.patch@fd608d60ca64 (annotated)

5578 fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	1	Patches taken from:
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	2	https://github.com/django/django/commit/382ab137312961ad62feb8109d70a5a581fe8350
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	3	https://github.com/django/django/commit/552f03869ea7f3072b3fa19ffb6cb2d957fd8447
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	4
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	5	This is fixed in Django 1.8.11 and 1.9.4
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	6
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	7	--- Django-1.4.22/django/utils/http.py.orig 2016-03-09 19:31:50.474600452 -0800
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	8	+++ Django-1.4.22/django/utils/http.py 2016-03-09 19:37:10.433043007 -0800
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	9	@@ -7,8 +7,9 @@ import urlparse
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	10	import unicodedata
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	11	from email.utils import formatdate
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	12
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	13	+from django.utils import six
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	14	from django.utils.datastructures import MultiValueDict
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	15	-from django.utils.encoding import smart_str, force_unicode
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	16	+from django.utils.encoding import smart_str, force_unicode, force_text
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	17	from django.utils.functional import allow_lazy
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	18
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	19	ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.\|[^"])*)"')
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	20	@@ -237,8 +238,16 @@ def is_safe_url(url, host=None):
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	21	url = url.strip()
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	22	if not url:
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	23	return False
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	24	- # Chrome treats \ completely as /
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	25	- url = url.replace('\\', '/')
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	26	+ if six.PY2:
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	27	+ try:
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	28	+ url = force_text(url)
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	29	+ except UnicodeDecodeError:
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	30	+ return False
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	31	+ # Chrome treats \ completely as / in paths but it could be part of some
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	32	+ # basic auth credentials so we need to check both URLs.
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	33	+ return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host)
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	34	+
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	35	+def _is_safe_url(url, host):
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	36	# Chrome considers any URL with more than two slashes to be absolute, but
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	37	# urlaprse is not so flexible. Treat any url with three slashes as unsafe.
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	38	if url.startswith('///'):
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	39
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	40
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	41	--- Django-1.4.22/tests/regressiontests/utils/http.py.orig 2016-03-09 19:40:41.664196629 -0800
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	42	+++ Django-1.4.22/tests/regressiontests/utils/http.py 2016-03-09 19:42:38.347335015 -0800
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	43	@@ -1,3 +1,6 @@
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	44	+# -- encoding: utf-8 --
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	45	+from __future__ import unicode_literals
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	46	+
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	47	import sys
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	48
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	49	from django.utils import http
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	50	@@ -100,6 +103,11 @@ class TestUtilsHttp(unittest.TestCase):
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	51	'javascript:alert("XSS")'
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	52	'\njavascript:alert(x)',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	53	'\x08//example.com',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	54	+ r'http://otherserver\@example.com',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	55	+ r'http:\\testserver\@example.com',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	56	+ r'http://testserver\me:[email protected]',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	57	+ r'http://testserver\@example.com',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	58	+ r'http:\\testserver\confirm\[email protected]',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	59	'\n'):
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	60	self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url)
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	61	for good_url in ('/view/?param=http://example.com',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	62	@@ -109,5 +117,14 @@ class TestUtilsHttp(unittest.TestCase):
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	63	'https://testserver/',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	64	'HTTPS://testserver/',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	65	'//testserver/',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	66	+ 'http://testserver/[email protected]',
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	67	'/url%20with%20spaces/'):
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	68	self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url)
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	69	+ self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver'))
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	70	+
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	71	+ # Valid basic auth credentials are allowed.
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	72	+ self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver'))
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	73	+ # A path without host is allowed.
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	74	+ self.assertTrue(http.is_safe_url('/confirm/[email protected]'))
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	75	+ # Basic auth without host is not allowed.
fd608d60ca64 22852949 problem in PYTHON-MOD/DJANGO Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	76	+ self.assertFalse(http.is_safe_url(r'http://testserver\@example.com'))

author	Drew Fisher <drew.fisher@oracle.com>
	Thu, 10 Mar 2016 13:27:59 -0800
changeset 5578	fd608d60ca64
permissions	-rw-r--r--