# HG changeset patch # User Danek Duvall # Date 1448407436 28800 # Node ID ef368afc826bf0688f6729e5ff6f6448cd58a168 # Parent d8d0ebb8ed32428bcda7fadd90305555433d0344 22264635 problem in PYTHON-MOD/DJANGO diff -r d8d0ebb8ed32 -r ef368afc826b components/python/django/Makefile --- a/components/python/django/Makefile Tue Nov 24 13:24:28 2015 -0800 +++ b/components/python/django/Makefile Tue Nov 24 15:23:56 2015 -0800 @@ -56,11 +56,13 @@ # locale/__init__.py PUBLISH_TRANSFORMS += $(COMPONENT_DIR)/django-locale-transform -# reset the test environment to only contain PATH and PYTHONPATH +# reset the test environment to only contain PATH, PYTHONPATH, and LC_ALL +# (because many tests need to be able to access non-ASCII codepoints). COMPONENT_TEST_DIR= $(SOURCE_DIR)/tests COMPONENT_TEST_ARGS += --settings test_sqlite COMPONENT_TEST_ENV= PYTHONPATH=$(SOURCE_DIR) COMPONENT_TEST_ENV += PATH=$(PATH) +COMPONENT_TEST_ENV += LC_ALL=en_US.UTF-8 ASLR_MODE = $(ASLR_NOT_APPLICABLE) diff -r d8d0ebb8ed32 -r ef368afc826b components/python/django/patches/CVE-2015-8213.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/python/django/patches/CVE-2015-8213.patch Tue Nov 24 15:23:56 2015 -0800 @@ -0,0 +1,70 @@ +https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/ + +CVE-2015-8213: Fixed settings leak possibility in date template filter + +If an application allows users to specify an unvalidated format for dates +and passes this format to the date filter, e.g. {{ +last_updated|date:user_date_format }}, then a malicious user could obtain +any secret in the application's settings by specifying a settings key +instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y". + +To remedy this, the underlying function used by the date template filter, +django.utils.formats.get_format(), now only allows accessing the date/time +formatting settings. + +This is backported from the commit on the 1.7 branch: + + https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172 + +because upstream is no longer maintaining the 1.4 branch. + +--- Django-1.4.22/django/utils/formats.py Tue Aug 18 10:17:02 2015 ++++ Django-1.4.22/django/utils/formats.py Tue Nov 24 15:20:12 2015 +@@ -15,6 +15,25 @@ + _format_cache = {} + _format_modules_cache = {} + ++ ++FORMAT_SETTINGS = frozenset([ ++ 'DECIMAL_SEPARATOR', ++ 'THOUSAND_SEPARATOR', ++ 'NUMBER_GROUPING', ++ 'FIRST_DAY_OF_WEEK', ++ 'MONTH_DAY_FORMAT', ++ 'TIME_FORMAT', ++ 'DATE_FORMAT', ++ 'DATETIME_FORMAT', ++ 'SHORT_DATE_FORMAT', ++ 'SHORT_DATETIME_FORMAT', ++ 'YEAR_MONTH_FORMAT', ++ 'DATE_INPUT_FORMATS', ++ 'TIME_INPUT_FORMATS', ++ 'DATETIME_INPUT_FORMATS', ++]) ++ ++ + def reset_format_cache(): + """Clear any cached formats. + +@@ -66,6 +85,8 @@ + be localized (or not), overriding the value of settings.USE_L10N. + """ + format_type = smart_str(format_type) ++ if format_type not in FORMAT_SETTINGS: ++ return format_type + if use_l10n or (use_l10n is None and settings.USE_L10N): + if lang is None: + lang = get_language() +--- Django-1.4.22/tests/regressiontests/i18n/tests.py.orig Tue Aug 18 10:17:02 2015 ++++ Django-1.4.22/tests/regressiontests/i18n/tests.py Tue Nov 24 15:19:03 2015 +@@ -684,6 +684,10 @@ + self.assertEqual(template2.render(context), output2) + self.assertEqual(template3.render(context), output3) + ++ def test_format_arbitrary_settings(self): ++ self.assertEqual(get_format('DEBUG'), 'DEBUG') ++ ++ + class MiscTests(TestCase): + + def setUp(self):