--- a/components/python/django/Makefile Tue Nov 24 13:24:28 2015 -0800
+++ b/components/python/django/Makefile Tue Nov 24 15:23:56 2015 -0800
@@ -56,11 +56,13 @@
# locale/__init__.py
PUBLISH_TRANSFORMS += $(COMPONENT_DIR)/django-locale-transform
-# reset the test environment to only contain PATH and PYTHONPATH
+# reset the test environment to only contain PATH, PYTHONPATH, and LC_ALL
+# (because many tests need to be able to access non-ASCII codepoints).
COMPONENT_TEST_DIR= $(SOURCE_DIR)/tests
COMPONENT_TEST_ARGS += --settings test_sqlite
COMPONENT_TEST_ENV= PYTHONPATH=$(SOURCE_DIR)
COMPONENT_TEST_ENV += PATH=$(PATH)
+COMPONENT_TEST_ENV += LC_ALL=en_US.UTF-8
ASLR_MODE = $(ASLR_NOT_APPLICABLE)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/django/patches/CVE-2015-8213.patch Tue Nov 24 15:23:56 2015 -0800
@@ -0,0 +1,70 @@
+https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
+
+CVE-2015-8213: Fixed settings leak possibility in date template filter
+
+If an application allows users to specify an unvalidated format for dates
+and passes this format to the date filter, e.g. {{
+last_updated|date:user_date_format }}, then a malicious user could obtain
+any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
+
+To remedy this, the underlying function used by the date template filter,
+django.utils.formats.get_format(), now only allows accessing the date/time
+formatting settings.
+
+This is backported from the commit on the 1.7 branch:
+
+ https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172
+
+because upstream is no longer maintaining the 1.4 branch.
+
+--- Django-1.4.22/django/utils/formats.py Tue Aug 18 10:17:02 2015
++++ Django-1.4.22/django/utils/formats.py Tue Nov 24 15:20:12 2015
+@@ -15,6 +15,25 @@
+ _format_cache = {}
+ _format_modules_cache = {}
+
++
++FORMAT_SETTINGS = frozenset([
++ 'DECIMAL_SEPARATOR',
++ 'THOUSAND_SEPARATOR',
++ 'NUMBER_GROUPING',
++ 'FIRST_DAY_OF_WEEK',
++ 'MONTH_DAY_FORMAT',
++ 'TIME_FORMAT',
++ 'DATE_FORMAT',
++ 'DATETIME_FORMAT',
++ 'SHORT_DATE_FORMAT',
++ 'SHORT_DATETIME_FORMAT',
++ 'YEAR_MONTH_FORMAT',
++ 'DATE_INPUT_FORMATS',
++ 'TIME_INPUT_FORMATS',
++ 'DATETIME_INPUT_FORMATS',
++])
++
++
+ def reset_format_cache():
+ """Clear any cached formats.
+
+@@ -66,6 +85,8 @@
+ be localized (or not), overriding the value of settings.USE_L10N.
+ """
+ format_type = smart_str(format_type)
++ if format_type not in FORMAT_SETTINGS:
++ return format_type
+ if use_l10n or (use_l10n is None and settings.USE_L10N):
+ if lang is None:
+ lang = get_language()
+--- Django-1.4.22/tests/regressiontests/i18n/tests.py.orig Tue Aug 18 10:17:02 2015
++++ Django-1.4.22/tests/regressiontests/i18n/tests.py Tue Nov 24 15:19:03 2015
+@@ -684,6 +684,10 @@
+ self.assertEqual(template2.render(context), output2)
+ self.assertEqual(template3.render(context), output3)
+
++ def test_format_arbitrary_settings(self):
++ self.assertEqual(get_format('DEBUG'), 'DEBUG')
++
++
+ class MiscTests(TestCase):
+
+ def setUp(self):