[Django/el6] update to 1.3.7 to fix CVE-2013-0305, CVE-2013-0306
Matthias Runge
mrunge at fedoraproject.org
Thu Feb 21 09:25:26 UTC 2013
commit b7691f4be3a638461b7911ec02bfc39edce320aa
Author: Matthias Runge <mrunge at redhat.com>
Date: Thu Feb 21 10:24:56 2013 +0100
update to 1.3.7 to fix CVE-2013-0305, CVE-2013-0306
.gitignore | 1 +
Django.spec | 31 ++++---
...missed-poisoned-host-header-test-material.patch | 98 ++++++++++++++++++++
django13-Fixed-a-security-issue-in-get_host.patch | 74 +++++++++++++++
sources | 2 +-
5 files changed, 191 insertions(+), 15 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 0887379..f098a8e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
/Django-1.3.1.tar.gz
/Django-1.3.2.tar.gz
/Django-1.3.4.tar.gz
+/Django-1.3.7.tar.gz
diff --git a/Django.spec b/Django.spec
index 34c2635..75be4b6 100644
--- a/Django.spec
+++ b/Django.spec
@@ -2,7 +2,7 @@
%{!?pyver: %define pyver %(%{__python} -c "import sys ; print sys.version[:3]")}
Name: Django
-Version: 1.3.4
+Version: 1.3.7
Release: 1%{?dist}
Summary: A high-level Python Web framework
@@ -13,13 +13,16 @@ Source0: http://media.djangoproject.com/releases/1.3/Django-%{version}.ta
# stub simplejson module that imports the system version
Source1: simplejson-init.py
Patch0: django-1.3.1-doc-sphinx.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
# Note: No longer required in development version > 0.95
# BuildRequires: python-setuptools
BuildRequires: python-devel
+%if 0%{?rhel} == 6
BuildRequires: python-sphinx10
+%else
+BuildRequires: python-sphinx
+%endif
Requires: python-simplejson
@@ -30,7 +33,6 @@ development and a clean, pragmatic design. It focuses on automating as
much as possible and adhering to the DRY (Don't Repeat Yourself)
principle.
-%if 0%{?rhel} > 4 || 0%{?fedora} >= 12
%package doc
Summary: Documentation for Django
Group: Documentation
@@ -41,12 +43,12 @@ Obsoletes: %{name}-docs < %{version}-%{release}
%description doc
This package contains the documentation for the Django high-level
Python Web framework.
-%endif
%prep
%setup -q
%patch0
+
# remove bundled simplejson
cd django/utils/simplejson/
rm -rf *
@@ -72,7 +74,11 @@ rm -rf $RPM_BUILD_ROOT
>> %{name}.lang
# build documentation
+%if 0%{?rhel} == 6
(cd docs && mkdir djangohtml && mkdir -p _build/{doctrees,html} && make SPHINXBUILD=sphinx-1.0-build html)
+%else
+(cd docs && mkdir djangohtml && mkdir -p _build/{doctrees,html} && make SPHINXBUILD=sphinx-build html)
+%endif
# install man pages
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1/
@@ -91,9 +97,6 @@ chmod +x \
$RPM_BUILD_ROOT%{python_sitelib}/django/bin/profiling/gather_profile_stats.py*
-%clean
-rm -rf $RPM_BUILD_ROOT
-
%files -f %{name}.lang
%defattr(-,root,root,-)
@@ -180,21 +183,21 @@ rm -rf $RPM_BUILD_ROOT
%{python_sitelib}/*.egg-info
%endif
-%if 0%{?fedora} > 0 && 0%{?fedora} <= 9
-%ghost %{_bindir}/django-admin.pyc
-%ghost %{_bindir}/django-admin.pyo
-%endif
-# -----------------
-%if 0%{?rhel} > 4 || 0%{?fedora} >= 12
%files doc
%defattr(-,root,root,-)
%doc docs/_build/html/*
-%endif
%changelog
+* Thu Feb 21 2013 Matthias Runge <mrunge at redhat.com> - 1.3.7-1
+- update fix CVE-2013-0305, CVE-2013-0306
+
+* Tue Dec 11 2012 Matthias Runge <mrunge at redhat.com> - 1.3.4-1
+- Merged in security update from upstream version 1.3.5
+ https://www.djangoproject.com/weblog/2012/dec/10/security/
+
* Thu Oct 18 2012 Matthias Runge <mrunge at redhat.com> - 1.3.4-1
- security release
https://www.djangoproject.com/weblog/2012/oct/17/security/
diff --git a/django13-Added-missed-poisoned-host-header-test-material.patch b/django13-Added-missed-poisoned-host-header-test-material.patch
new file mode 100644
index 0000000..ced4dde
--- /dev/null
+++ b/django13-Added-missed-poisoned-host-header-test-material.patch
@@ -0,0 +1,98 @@
+commit 6383d2358c1077b16b13eb6e6975d7a200ed7285
+Author: Preston Holmes <preston at ptone.com>
+Date: Thu Oct 18 11:21:54 2012 -0700
+
+ Added missed poisoned host header test material
+
+diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py
+index cd488e2..19713b6 100644
+--- a/tests/regressiontests/requests/tests.py
++++ b/tests/regressiontests/requests/tests.py
+@@ -4,6 +4,7 @@ from StringIO import StringIO
+
+ from django.conf import settings
+ from django.core.handlers.modpython import ModPythonRequest
++from django.core.exceptions import SuspiciousOperation
+ from django.core.handlers.wsgi import WSGIRequest, LimitedStream
+ from django.http import HttpRequest, HttpResponse, parse_cookie
+ from django.utils import unittest
+@@ -101,6 +102,39 @@ class RequestsTests(unittest.TestCase):
+ }
+ self.assertEqual(request.get_host(), 'internal.com:8042')
+
++ # Poisoned host headers are rejected as suspicious
++ legit_hosts = [
++ 'example.com',
++ 'example.com:80',
++ '12.34.56.78',
++ '12.34.56.78:443',
++ '[2001:19f0:feee::dead:beef:cafe]',
++ '[2001:19f0:feee::dead:beef:cafe]:8080',
++ ]
++
++ poisoned_hosts = [
++ 'example.com at evil.tld',
++ 'example.com:dr.frankenstein at evil.tld',
++ 'example.com:someone at somestie.com:80',
++ 'example.com:80/badpath'
++ ]
++
++ for host in legit_hosts:
++ request = HttpRequest()
++ request.META = {
++ 'HTTP_HOST': host,
++ }
++ request.get_host()
++
++ for host in poisoned_hosts:
++ def test_host_poisoning():
++ request = HttpRequest()
++ request.META = {
++ 'HTTP_HOST': host,
++ }
++ request.get_host()
++ self.assertRaises(SuspiciousOperation, test_host_poisoning)
++
+ finally:
+ settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST
+
+@@ -145,6 +179,39 @@ class RequestsTests(unittest.TestCase):
+ }
+ self.assertEqual(request.get_host(), 'internal.com:8042')
+
++ # Poisoned host headers are rejected as suspicious
++ legit_hosts = [
++ 'example.com',
++ 'example.com:80',
++ '12.34.56.78',
++ '12.34.56.78:443',
++ '[2001:19f0:feee::dead:beef:cafe]',
++ '[2001:19f0:feee::dead:beef:cafe]:8080',
++ ]
++
++ poisoned_hosts = [
++ 'example.com at evil.tld',
++ 'example.com:dr.frankenstein at evil.tld',
++ 'example.com:dr.frankenstein at evil.tld:80',
++ 'example.com:80/badpath'
++ ]
++
++ for host in legit_hosts:
++ request = HttpRequest()
++ request.META = {
++ 'HTTP_HOST': host,
++ }
++ request.get_host()
++
++ for host in poisoned_hosts:
++ def test_host_poisoning():
++ request = HttpRequest()
++ request.META = {
++ 'HTTP_HOST': host,
++ }
++ request.get_host()
++ self.assertRaises(SuspiciousOperation, test_host_poisoning)
++
+ finally:
+ settings.USE_X_FORWARDED_HOST = old_USE_X_FORWARDED_HOST
+
diff --git a/django13-Fixed-a-security-issue-in-get_host.patch b/django13-Fixed-a-security-issue-in-get_host.patch
new file mode 100644
index 0000000..ae0f3b6
--- /dev/null
+++ b/django13-Fixed-a-security-issue-in-get_host.patch
@@ -0,0 +1,74 @@
+commit 2da4ace0bc1bc1d79bf43b368cb857f6f0cd6b1b
+Author: Florian Apolloner <florian at apolloner.eu>
+Date: Tue Nov 27 22:27:14 2012 +0100
+
+ [1.3.X] Fixed a security issue in get_host.
+
+ Full disclosure and new release forthcoming.
+
+diff --git a/django/http/__init__.py b/django/http/__init__.py
+index dddd9a8..a80750b 100644
+--- a/django/http/__init__.py
++++ b/django/http/__init__.py
+@@ -129,6 +129,8 @@ from utils import *
+ RESERVED_CHARS="!*'();:@&=+$,/?%#[]"
+
+ absolute_http_url_re = re.compile(r"^https?://", re.I)
++host_validation_re = re.compile(r"^([a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9:]+\])(:\d+)?$")
++
+
+ class Http404(Exception):
+ pass
+@@ -167,7 +169,7 @@ class HttpRequest(object):
+ host = '%s:%s' % (host, server_port)
+
+ # Disallow potentially poisoned hostnames.
+- if set(';/?@&=+$,').intersection(host):
++ if not host_validation_re.match(host.lower()):
+ raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)
+
+ return host
+diff --git a/tests/regressiontests/requests/tests.py b/tests/regressiontests/requests/tests.py
+index 19713b6..bbd2280 100644
+--- a/tests/regressiontests/requests/tests.py
++++ b/tests/regressiontests/requests/tests.py
+@@ -1,3 +1,4 @@
++# -*- coding: utf-8 -*-
+ import time
+ from datetime import datetime, timedelta
+ from StringIO import StringIO
+@@ -110,13 +111,15 @@ class RequestsTests(unittest.TestCase):
+ '12.34.56.78:443',
+ '[2001:19f0:feee::dead:beef:cafe]',
+ '[2001:19f0:feee::dead:beef:cafe]:8080',
++ 'xn--4ca9at.com', # Punnycode for öäü.com
+ ]
+
+ poisoned_hosts = [
+ 'example.com at evil.tld',
+ 'example.com:dr.frankenstein at evil.tld',
+- 'example.com:someone at somestie.com:80',
+- 'example.com:80/badpath'
++ 'example.com:dr.frankenstein at evil.tld:80',
++ 'example.com:80/badpath',
++ 'example.com: recovermypassword.com',
+ ]
+
+ for host in legit_hosts:
+@@ -187,13 +190,15 @@ class RequestsTests(unittest.TestCase):
+ '12.34.56.78:443',
+ '[2001:19f0:feee::dead:beef:cafe]',
+ '[2001:19f0:feee::dead:beef:cafe]:8080',
++ 'xn--4ca9at.com', # Punnycode for öäü.com
+ ]
+
+ poisoned_hosts = [
+ 'example.com at evil.tld',
+ 'example.com:dr.frankenstein at evil.tld',
+ 'example.com:dr.frankenstein at evil.tld:80',
+- 'example.com:80/badpath'
++ 'example.com:80/badpath',
++ 'example.com: recovermypassword.com',
+ ]
+
+ for host in legit_hosts:
diff --git a/sources b/sources
index 6b3f81b..ccb3a7b 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-9a610a40ee5fcc4ca283fb499e265936 Django-1.3.4.tar.gz
+f6720daa392d73d4df8847b41909fd43 Django-1.3.7.tar.gz
More information about the scm-commits
mailing list