~alpine/aports

This thread contains a patchset. You're looking at the original emails, but you may wish to use the patch review UI. Review patch

[alpine-aports] [PATCH] 3.2-stable/main/django1.5: security fix CVE-2015-8213

Christian Kampka <christian@kampka.net>
Details
Message ID
<1448788962-23145-1-git-send-email-christian@kampka.net>
Sender timestamp
1448788962
DKIM signature
missing
Download raw message
Patch: +68 -5
Fixed a settings leak possibility in the date template filter.
---
 main/py-django1.5/APKBUILD            | 24 +++++++++++++----
 main/py-django1.5/CVE-2015-8213.patch | 49 +++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 5 deletions(-)
 create mode 100644 main/py-django1.5/CVE-2015-8213.patch

diff --git a/main/py-django1.5/APKBUILD b/main/py-django1.5/APKBUILD
index baa6ba3..6cdb55b 100644
--- a/main/py-django1.5/APKBUILD
+++ b/main/py-django1.5/APKBUILD
@@ -3,7 +3,7 @@
pkgname=py-django1.5
_pkgname=Django
pkgver=1.5.12
pkgrel=0
pkgrel=1
pkgdesc="A high-level Python Web framework"
url="http://djangoproject.com/"
arch="noarch"
@@ -13,7 +13,18 @@ depends_dev=""
makedepends="python-dev py-setuptools"
install=""
subpackages=""
source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
	CVE-2015-8213.patch
	"

prepare() {
	cd "$srcdir"/Django-$pkgver
	for i in $source; do
	case $i in
		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
		esac
	done
}

_builddir="$srcdir"/$_pkgname-$pkgver
build() {
@@ -26,6 +37,9 @@ package() {
	python setup.py install --root "$pkgdir" || return 1
}

md5sums="0e0b48cd0bb59cbc5499dcbb4fe1fb90  Django-1.5.12.tar.gz"
sha256sums="b3de77beb6e59b72071ca66f20c2ad34e1b90d39b0241e62c1f03c668ddd6ced  Django-1.5.12.tar.gz"
sha512sums="37736827618737c54e7b63f2376b915d8dc0cdaf1900a2f6c3c9e0edd69e50379f95e3b6a31c930efdca88793b6330e7226175af91951d8637e5db780bc9fd8d  Django-1.5.12.tar.gz"
md5sums="0e0b48cd0bb59cbc5499dcbb4fe1fb90  Django-1.5.12.tar.gz
b8697fd93d0b76ae660314b45b65621a  CVE-2015-8213.patch"
sha256sums="b3de77beb6e59b72071ca66f20c2ad34e1b90d39b0241e62c1f03c668ddd6ced  Django-1.5.12.tar.gz
0a7e614cc5efac9edaebaad06dce4ad45bf670ab24aceb168ee5c6735f8c8231  CVE-2015-8213.patch"
sha512sums="37736827618737c54e7b63f2376b915d8dc0cdaf1900a2f6c3c9e0edd69e50379f95e3b6a31c930efdca88793b6330e7226175af91951d8637e5db780bc9fd8d  Django-1.5.12.tar.gz
15598c2de79bcc1f2e0f48ef95ec294b38f9c11affad4cfd6401825daa6be4a4e5eef5af54bab05824b1155b6dd9203c5fde294dbb7ce83b847b0d2315251909  CVE-2015-8213.patch"
diff --git a/main/py-django1.5/CVE-2015-8213.patch b/main/py-django1.5/CVE-2015-8213.patch
new file mode 100644
index 0000000..54fe8c2
--- /dev/null
+++ b/main/py-django1.5/CVE-2015-8213.patch
@@ -0,0 +1,49 @@
From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Wed, 11 Nov 2015 20:10:55 +0100
Subject: [PATCH] Fixed a settings leak possibility in the date template
 filter.

This is a security fix.
---
 django/utils/formats.py  | 20 ++++++++++++++++++++
 1 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/django/utils/formats.py b/django/utils/formats.py
index d2bdda4..8334682 100644
--- a/django/utils/formats.py
+++ b/django/utils/formats.py
@@ -30,6 +30,24 @@
 }


+FORMAT_SETTINGS = frozenset([
+    'DECIMAL_SEPARATOR',
+    'THOUSAND_SEPARATOR',
+    'NUMBER_GROUPING',
+    'FIRST_DAY_OF_WEEK',
+    'MONTH_DAY_FORMAT',
+    'TIME_FORMAT',
+    'DATE_FORMAT',
+    'DATETIME_FORMAT',
+    'SHORT_DATE_FORMAT',
+    'SHORT_DATETIME_FORMAT',
+    'YEAR_MONTH_FORMAT',
+    'DATE_INPUT_FORMATS',
+    'TIME_INPUT_FORMATS',
+    'DATETIME_INPUT_FORMATS',
+])
+
+
 def reset_format_cache():
     """Clear any cached formats.

@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
     be localized (or not), overriding the value of settings.USE_L10N.
     """
     format_type = force_str(format_type)
+    if format_type not in FORMAT_SETTINGS:
+        return format_type
     if use_l10n or (use_l10n is None and settings.USE_L10N):
         if lang is None:
             lang = get_language()
-- 
2.6.2



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)