Mail archive
alpine-aports

[alpine-aports] [PATCH] 3.1-stable/main/django: security fix CVE-2015-8213

From: Christian Kampka <christian_at_kampka.net>
Date: Sun, 29 Nov 2015 10:36:04 +0100

Fixed a settings leak possibility in the date template filter.
---
 main/py-django/APKBUILD            | 25 ++++++++++++---
 main/py-django/CVE-2015-8213.patch | 63 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 5 deletions(-)
 create mode 100644 main/py-django/CVE-2015-8213.patch
diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD
index 74dd243..6c77db4 100644
--- a/main/py-django/APKBUILD
+++ b/main/py-django/APKBUILD
_at_@ -3,7 +3,7 @@
 pkgname=py-django
 _pkgname=Django
 pkgver=1.7.9
-pkgrel=0
+pkgrel=1
 pkgdesc="A high-level Python Web framework"
 url="http://djangoproject.com/"
 arch="noarch"
_at_@ -13,7 +13,19 @@ depends_dev=""
 makedepends="python-dev py-setuptools"
 install=""
 subpackages=""
-source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+	CVE-2015-8213.patch
+"
+
+prepare() {
+	cd "$srcdir"/Django-$pkgver
+	for i in $source; do
+		case $i in
+			*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+			esac
+	done
+}
+
 
 _builddir="$srcdir"/$_pkgname-$pkgver
 build() {
_at_@ -26,6 +38,9 @@ package() {
 	python setup.py install --root "$pkgdir" || return 1
 }
 
-md5sums="6ea69f3ebb73755bd2a4c9e3743f17c8  Django-1.7.9.tar.gz"
-sha256sums="4f3f9fe4e5d20ff8ed6a90b5d2f2df2d8fc054e478cdcc3db81c6b29bd217860  Django-1.7.9.tar.gz"
-sha512sums="349f6950ec7cb37c8ae44a5fc9b924ef0d02e244c834a65bbdbe84d8a993474c6e94f82ac0df5bd08594c8cc6f72bf9413b7b30091319dbb5c018f211d3e9e67  Django-1.7.9.tar.gz"
+md5sums="6ea69f3ebb73755bd2a4c9e3743f17c8  Django-1.7.9.tar.gz
+ad2a4a3fa3694e11293085600d787093  CVE-2015-8213.patch"
+sha256sums="4f3f9fe4e5d20ff8ed6a90b5d2f2df2d8fc054e478cdcc3db81c6b29bd217860  Django-1.7.9.tar.gz
+fe5e611b6b958eee50af2594588feb6c3e442d7b736c9bb87b47f78b588585aa  CVE-2015-8213.patch"
+sha512sums="349f6950ec7cb37c8ae44a5fc9b924ef0d02e244c834a65bbdbe84d8a993474c6e94f82ac0df5bd08594c8cc6f72bf9413b7b30091319dbb5c018f211d3e9e67  Django-1.7.9.tar.gz
+1c4e77e05492eff7dead5141e81bbfd049334d05e643a34d2e662df492bc38bce2e7ec55e3032193821f3ba9267809bc3d25f77c0ec8ee0b3ee20e046694a3a2  CVE-2015-8213.patch"
diff --git a/main/py-django/CVE-2015-8213.patch b/main/py-django/CVE-2015-8213.patch
new file mode 100644
index 0000000..45796c4
--- /dev/null
+++ b/main/py-django/CVE-2015-8213.patch
_at_@ -0,0 +1,63 @@
+From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
+From: Florian Apolloner <florian_at_apolloner.eu>
+Date: Wed, 11 Nov 2015 20:10:55 +0100
+Subject: [PATCH] Fixed a settings leak possibility in the date template
+ filter.
+
+This is a security fix.
+---
+ django/utils/formats.py  | 20 ++++++++++++++++++++
+ tests/i18n/tests.py      |  3 +++
+ 2 files changed, 23 insertions(+), 0 deletions(-)
+
+diff --git a/django/utils/formats.py b/django/utils/formats.py
+index d2bdda4..8334682 100644
+--- a/django/utils/formats.py
++++ b/django/utils/formats.py
+_at_@ -30,6 +30,24 @@
+ }
+
+
++FORMAT_SETTINGS = frozenset([
++    'DECIMAL_SEPARATOR',
++    'THOUSAND_SEPARATOR',
++    'NUMBER_GROUPING',
++    'FIRST_DAY_OF_WEEK',
++    'MONTH_DAY_FORMAT',
++    'TIME_FORMAT',
++    'DATE_FORMAT',
++    'DATETIME_FORMAT',
++    'SHORT_DATE_FORMAT',
++    'SHORT_DATETIME_FORMAT',
++    'YEAR_MONTH_FORMAT',
++    'DATE_INPUT_FORMATS',
++    'TIME_INPUT_FORMATS',
++    'DATETIME_INPUT_FORMATS',
++])
++
++
+ def reset_format_cache():
+     """Clear any cached formats.
+
+_at_@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
+     be localized (or not), overriding the value of settings.USE_L10N.
+     """
+     format_type = force_str(format_type)
++    if format_type not in FORMAT_SETTINGS:
++        return format_type
+     if use_l10n or (use_l10n is None and settings.USE_L10N):
+         if lang is None:
+             lang = get_language()
+diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
+index 1de7b11..fd332c5 100644
+--- a/tests/i18n/tests.py
++++ b/tests/i18n/tests.py
+_at_@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
+                 '<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
+             )
+
++    def test_format_arbitrary_settings(self):
++        self.assertEqual(get_format('DEBUG'), 'DEBUG')
++
+
+ class MiscTests(SimpleTestCase):
-- 
2.6.2
---
Unsubscribe:  alpine-aports+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-aports+help_at_lists.alpinelinux.org
---
Received on Sun Nov 29 2015 - 10:36:04 GMT