22264635 problem in PYTHON-MOD/DJANGO
authorDanek Duvall <danek.duvall@oracle.com>
Tue, 24 Nov 2015 15:23:56 -0800
changeset 5127 ef368afc826b
parent 5126 d8d0ebb8ed32
child 5128 218234c0062c
22264635 problem in PYTHON-MOD/DJANGO
components/python/django/Makefile
components/python/django/patches/CVE-2015-8213.patch
--- a/components/python/django/Makefile	Tue Nov 24 13:24:28 2015 -0800
+++ b/components/python/django/Makefile	Tue Nov 24 15:23:56 2015 -0800
@@ -56,11 +56,13 @@
 # locale/__init__.py
 PUBLISH_TRANSFORMS += $(COMPONENT_DIR)/django-locale-transform
 
-# reset the test environment to only contain PATH and PYTHONPATH
+# reset the test environment to only contain PATH, PYTHONPATH, and LC_ALL
+# (because many tests need to be able to access non-ASCII codepoints).
 COMPONENT_TEST_DIR=     $(SOURCE_DIR)/tests
 COMPONENT_TEST_ARGS +=  --settings test_sqlite
 COMPONENT_TEST_ENV=     PYTHONPATH=$(SOURCE_DIR)
 COMPONENT_TEST_ENV +=   PATH=$(PATH)
+COMPONENT_TEST_ENV +=   LC_ALL=en_US.UTF-8
 
 ASLR_MODE = $(ASLR_NOT_APPLICABLE)
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/python/django/patches/CVE-2015-8213.patch	Tue Nov 24 15:23:56 2015 -0800
@@ -0,0 +1,70 @@
+https://www.djangoproject.com/weblog/2015/nov/24/security-releases-issued/
+
+CVE-2015-8213: Fixed settings leak possibility in date template filter
+
+If an application allows users to specify an unvalidated format for dates
+and passes this format to the date filter, e.g. {{
+last_updated|date:user_date_format }}, then a malicious user could obtain
+any secret in the application's settings by specifying a settings key
+instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
+
+To remedy this, the underlying function used by the date template filter,
+django.utils.formats.get_format(), now only allows accessing the date/time
+formatting settings.
+
+This is backported from the commit on the 1.7 branch:
+
+    https://github.com/django/django/commit/8a01c6b53169ee079cb21ac5919fdafcc8c5e172
+
+because upstream is no longer maintaining the 1.4 branch.
+
+--- Django-1.4.22/django/utils/formats.py	Tue Aug 18 10:17:02 2015
++++ Django-1.4.22/django/utils/formats.py	Tue Nov 24 15:20:12 2015
[email protected]@ -15,6 +15,25 @@
+ _format_cache = {}
+ _format_modules_cache = {}
+ 
++
++FORMAT_SETTINGS = frozenset([
++    'DECIMAL_SEPARATOR',
++    'THOUSAND_SEPARATOR',
++    'NUMBER_GROUPING',
++    'FIRST_DAY_OF_WEEK',
++    'MONTH_DAY_FORMAT',
++    'TIME_FORMAT',
++    'DATE_FORMAT',
++    'DATETIME_FORMAT',
++    'SHORT_DATE_FORMAT',
++    'SHORT_DATETIME_FORMAT',
++    'YEAR_MONTH_FORMAT',
++    'DATE_INPUT_FORMATS',
++    'TIME_INPUT_FORMATS',
++    'DATETIME_INPUT_FORMATS',
++])
++
++
+ def reset_format_cache():
+     """Clear any cached formats.
+ 
[email protected]@ -66,6 +85,8 @@
+     be localized (or not), overriding the value of settings.USE_L10N.
+     """
+     format_type = smart_str(format_type)
++    if format_type not in FORMAT_SETTINGS:
++        return format_type
+     if use_l10n or (use_l10n is None and settings.USE_L10N):
+         if lang is None:
+             lang = get_language()
+--- Django-1.4.22/tests/regressiontests/i18n/tests.py.orig	Tue Aug 18 10:17:02 2015
++++ Django-1.4.22/tests/regressiontests/i18n/tests.py	Tue Nov 24 15:19:03 2015
[email protected]@ -684,6 +684,10 @@
+                 self.assertEqual(template2.render(context), output2)
+                 self.assertEqual(template3.render(context), output3)
+ 
++    def test_format_arbitrary_settings(self):
++        self.assertEqual(get_format('DEBUG'), 'DEBUG')
++
++
+ class MiscTests(TestCase):
+ 
+     def setUp(self):