24737607 problem in PYTHON-MOD/DJANGO s11u3-sru
authorDrew Fisher <drew.fisher@oracle.com>
Thu, 29 Sep 2016 08:21:19 -0700
branchs11u3-sru
changeset 7115 0c932cebfc40
parent 7110 eef24b4f8a52
child 7127 0d23504d93cf
24737607 problem in PYTHON-MOD/DJANGO
components/python/django/patches/CVE-2016-7401.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/django/patches/CVE-2016-7401.patch	Thu Sep 29 08:21:19 2016 -0700
@@ -0,0 +1,74 @@
+Modification of the following patch for Django 1.8.15.
+
+Differences include:
+
+* moving from django/http/cookie.py (1.8.15) to
+  django/http/__init__.py (1.4.22)
+
+* changing the import of django.utils.encoding.force_str (1.8.15) to
+  django.utils.encoding.smart_str (1.4.22) since the former does not
+  exist in the 1.4.22 codebase.
+
+commit 6118ab7d0676f0d622278e5be215f14fb5410b6a
+Author: Collin Anderson <[email protected]>
+Date:   Fri Mar 11 21:36:08 2016 -0500
+
+    [1.8.x] Fixed CVE-2016-7401 -- Fixed CSRF protection bypass on a site with Google Analytics.
+
+    This is a security fix.
+
+    Backport of "refs #26158 -- rewrote http.parse_cookie() to better match
+    browsers." 93a135d111c2569d88d65a3f4ad9e6d9ad291452 from master
+
+
+--- Django-1.4.22/django/http/__init__.py.orig 2016-09-29 08:02:02.861465688 -0700
++++ Django-1.4.22/django/http/__init__.py 2016-09-29 08:13:27.662250171 -0700
+
[email protected]@ -26,6 +26,10 @@ except ImportError:
+         from cgi import parse_qsl
+
+ import Cookie
++from django.utils import six
++from django.utils.encoding import smart_str
++from django.utils.six.moves import http_cookies
++
+ # httponly support exists in Python 2.6's Cookie library,
+ # but not in Python 2.5.
+ _morsel_supports_httponly = 'httponly' in Cookie.Morsel._reserved
[email protected]@ -545,20 +549,23 @@ class QueryDict(MultiValueDict):
+         return '&'.join(output)
+
+ def parse_cookie(cookie):
+-    if cookie == '':
+-        return {}
+-    if not isinstance(cookie, Cookie.BaseCookie):
+-        try:
+-            c = SimpleCookie()
+-            c.load(cookie)
+-        except Cookie.CookieError:
+-            # Invalid cookie
+-            return {}
+-    else:
+-        c = cookie
++    """
++    Return a dictionary parsed from a `Cookie:` header string.
++    """
+     cookiedict = {}
+-    for key in c.keys():
+-        cookiedict[key] = c.get(key).value
++    if six.PY2:
++        cookie = smart_str(cookie)
++    for chunk in cookie.split(str(';')):
++        if str('=') in chunk:
++            key, val = chunk.split(str('='), 1)
++        else:
++            # Assume an empty name per
++            # https://bugzilla.mozilla.org/show_bug.cgi?id=169091
++            key, val = str(''), chunk
++        key, val = key.strip(), val.strip()
++        if key or val:
++            # unquote using Python's algorithm.
++            cookiedict[key] = http_cookies._unquote(val)
+     return cookiedict
+
+ class BadHeaderError(ValueError):