This thread contains a patchset. You're looking at the original emails,
but you may wish to use the patch review UI.
Review patch
[alpine-aports] [PATCH] main/django: security fix CVE-2015-8213
Fixed a settings leak possibility in the date template filter.
---
main/py-django/APKBUILD | 24 ++++++++++++---
main/py-django/CVE-2015-8213.patch | 63 ++++++++++++++++++++++++++++++++++++++
2 files changed, 82 insertions(+), 5 deletions(-)
create mode 100644 main/py-django/CVE-2015-8213.patch
diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD
index 222b1c8..b348f8f 100644
--- a/main/py-django/APKBUILD
+++ b/main/py-django/APKBUILD
@@ -3,7 +3,7 @@
pkgname=py-django
_pkgname=Django
pkgver=1.8.3
-pkgrel=0
+pkgrel=1
pkgdesc="A high-level Python Web framework"
url="http://djangoproject.com/"
arch="noarch"
@@ -13,7 +13,18 @@ depends_dev=""
makedepends="python-dev py-setuptools"
install=""
subpackages=""
-source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz"
+source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
+ CVE-2015-8213.patch
+"
+
+prepare() {
+ cd "$srcdir"/Django-$pkgver
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
_builddir="$srcdir"/$_pkgname-$pkgver
build() {
@@ -26,6 +37,9 @@ package() {
python setup.py install --root "$pkgdir" || return 1
}
-md5sums="31760322115c3ae51fbd8ac85c9ac428 Django-1.8.3.tar.gz"
-sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba Django-1.8.3.tar.gz"
-sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e Django-1.8.3.tar.gz"
+md5sums="31760322115c3ae51fbd8ac85c9ac428 Django-1.8.3.tar.gz
+782f8609cee5028ce7b16e7fc397a319 CVE-2015-8213.patch"
+sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba Django-1.8.3.tar.gz
+02b1a2642dc252b06672af0becffbf6a6184f434132c5394cedf54730b0208c9 CVE-2015-8213.patch"
+sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e Django-1.8.3.tar.gz
+b5f32137c382c2c8240fe6a8d4f06a8ab37012bb5e0b82d6bb0df7ae9dd9f595c0e9bd15f23d360978f395b86eade859617279dfb91f5c303c8ccdd3accfeb06 CVE-2015-8213.patch"
diff --git a/main/py-django/CVE-2015-8213.patch b/main/py-django/CVE-2015-8213.patch
new file mode 100644
index 0000000..392e198
--- /dev/null
+++ b/main/py-django/CVE-2015-8213.patch
@@ -0,0 +1,63 @@
+From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
+From: Florian Apolloner <florian@apolloner.eu>
+Date: Wed, 11 Nov 2015 20:10:55 +0100
+Subject: [PATCH] Fixed a settings leak possibility in the date template
+ filter.
+
+This is a security fix.
+---
+ django/utils/formats.py | 20 ++++++++++++++++++++
+ tests/i18n/tests.py | 3 +++
+ 4 files changed, 51 insertions(+), 2 deletions(-)
+
+diff --git a/django/utils/formats.py b/django/utils/formats.py
+index d2bdda4..8334682 100644
+--- a/django/utils/formats.py
++++ b/django/utils/formats.py
+@@ -30,6 +30,24 @@
+ }
+
+
++FORMAT_SETTINGS = frozenset([
++ 'DECIMAL_SEPARATOR',
++ 'THOUSAND_SEPARATOR',
++ 'NUMBER_GROUPING',
++ 'FIRST_DAY_OF_WEEK',
++ 'MONTH_DAY_FORMAT',
++ 'TIME_FORMAT',
++ 'DATE_FORMAT',
++ 'DATETIME_FORMAT',
++ 'SHORT_DATE_FORMAT',
++ 'SHORT_DATETIME_FORMAT',
++ 'YEAR_MONTH_FORMAT',
++ 'DATE_INPUT_FORMATS',
++ 'TIME_INPUT_FORMATS',
++ 'DATETIME_INPUT_FORMATS',
++])
++
++
+ def reset_format_cache():
+ """Clear any cached formats.
+
+@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
+ be localized (or not), overriding the value of settings.USE_L10N.
+ """
+ format_type = force_str(format_type)
++ if format_type not in FORMAT_SETTINGS:
++ return format_type
+ if use_l10n or (use_l10n is None and settings.USE_L10N):
+ if lang is None:
+ lang = get_language()
+diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
+index 1de7b11..fd332c5 100644
+--- a/tests/i18n/tests.py
++++ b/tests/i18n/tests.py
+@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
+ '<input id="id_cents_paid" name="cents_paid" type="hidden" value="59,47" />'
+ )
+
++ def test_format_arbitrary_settings(self):
++ self.assertEqual(get_format('DEBUG'), 'DEBUG')
++
+
+ class MiscTests(SimpleTestCase):
--
2.6.2
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---
[alpine-aports] Re: [PATCH] main/django: security fix CVE-2015-8213
FYI, this is a patch against 3.2-stable.
Christian Kampka <christian@kampka.net> schrieb am So., 29. Nov. 2015 um
10:22 Uhr:
> Fixed a settings leak possibility in the date template filter.
> ---
> main/py-django/APKBUILD | 24 ++++++++++++---
> main/py-django/CVE-2015-8213.patch | 63
> ++++++++++++++++++++++++++++++++++++++
> 2 files changed, 82 insertions(+), 5 deletions(-)
> create mode 100644 main/py-django/CVE-2015-8213.patch
>
> diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD
> index 222b1c8..b348f8f 100644
> --- a/main/py-django/APKBUILD
> +++ b/main/py-django/APKBUILD
> @@ -3,7 +3,7 @@
> pkgname=py-django
> _pkgname=Django
> pkgver=1.8.3
> -pkgrel=0
> +pkgrel=1
> pkgdesc="A high-level Python Web framework"
> url="http://djangoproject.com/"
> arch="noarch"
> @@ -13,7 +13,18 @@ depends_dev=""
> makedepends="python-dev py-setuptools"
> install=""
> subpackages=""
> -source="
> http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
> "
> +source="
> http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz
> + CVE-2015-8213.patch
> +"
> +
> +prepare() {
> + cd "$srcdir"/Django-$pkgver
> + for i in $source; do
> + case $i in
> + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
> + esac
> + done
> +}
>
> _builddir="$srcdir"/$_pkgname-$pkgver
> build() {
> @@ -26,6 +37,9 @@ package() {
> python setup.py install --root "$pkgdir" || return 1
> }
>
> -md5sums="31760322115c3ae51fbd8ac85c9ac428 Django-1.8.3.tar.gz"
> -sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba
> Django-1.8.3.tar.gz"
> -sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e
> Django-1.8.3.tar.gz"
> +md5sums="31760322115c3ae51fbd8ac85c9ac428 Django-1.8.3.tar.gz
> +782f8609cee5028ce7b16e7fc397a319 CVE-2015-8213.patch"
> +sha256sums="2bb654fcc05fd53017c88caf2bc38b5c5ea23c91f8ac7f0a28b290daf2305bba
> Django-1.8.3.tar.gz
> +02b1a2642dc252b06672af0becffbf6a6184f434132c5394cedf54730b0208c9
> CVE-2015-8213.patch"
> +sha512sums="17943c4769bb11125ee23cee6e05ce120a769ff46b9b380219bb28a42d4119082c2041fbc826d59707cb9f2cd1dc19c94beb61ac644e8c4fa5ba3bd528efa06e
> Django-1.8.3.tar.gz
> +b5f32137c382c2c8240fe6a8d4f06a8ab37012bb5e0b82d6bb0df7ae9dd9f595c0e9bd15f23d360978f395b86eade859617279dfb91f5c303c8ccdd3accfeb06
> CVE-2015-8213.patch"
> diff --git a/main/py-django/CVE-2015-8213.patch
> b/main/py-django/CVE-2015-8213.patch
> new file mode 100644
> index 0000000..392e198
> --- /dev/null
> +++ b/main/py-django/CVE-2015-8213.patch
> @@ -0,0 +1,63 @@
> +From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001
> +From: Florian Apolloner <florian@apolloner.eu>
> +Date: Wed, 11 Nov 2015 20:10:55 +0100
> +Subject: [PATCH] Fixed a settings leak possibility in the date template
> + filter.
> +
> +This is a security fix.
> +---
> + django/utils/formats.py | 20 ++++++++++++++++++++
> + tests/i18n/tests.py | 3 +++
> + 4 files changed, 51 insertions(+), 2 deletions(-)
> +
> +diff --git a/django/utils/formats.py b/django/utils/formats.py
> +index d2bdda4..8334682 100644
> +--- a/django/utils/formats.py
> ++++ b/django/utils/formats.py
> +@@ -30,6 +30,24 @@
> + }
> +
> +
> ++FORMAT_SETTINGS = frozenset([
> ++ 'DECIMAL_SEPARATOR',
> ++ 'THOUSAND_SEPARATOR',
> ++ 'NUMBER_GROUPING',
> ++ 'FIRST_DAY_OF_WEEK',
> ++ 'MONTH_DAY_FORMAT',
> ++ 'TIME_FORMAT',
> ++ 'DATE_FORMAT',
> ++ 'DATETIME_FORMAT',
> ++ 'SHORT_DATE_FORMAT',
> ++ 'SHORT_DATETIME_FORMAT',
> ++ 'YEAR_MONTH_FORMAT',
> ++ 'DATE_INPUT_FORMATS',
> ++ 'TIME_INPUT_FORMATS',
> ++ 'DATETIME_INPUT_FORMATS',
> ++])
> ++
> ++
> + def reset_format_cache():
> + """Clear any cached formats.
> +
> +@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None):
> + be localized (or not), overriding the value of settings.USE_L10N.
> + """
> + format_type = force_str(format_type)
> ++ if format_type not in FORMAT_SETTINGS:
> ++ return format_type
> + if use_l10n or (use_l10n is None and settings.USE_L10N):
> + if lang is None:
> + lang = get_language()
> +diff --git a/tests/i18n/tests.py b/tests/i18n/tests.py
> +index 1de7b11..fd332c5 100644
> +--- a/tests/i18n/tests.py
> ++++ b/tests/i18n/tests.py
> +@@ -1249,6 +1249,9 @@ def test_localized_as_text_as_hidden_input(self):
> + '<input id="id_cents_paid" name="cents_paid"
> type="hidden" value="59,47" />'
> + )
> +
> ++ def test_format_arbitrary_settings(self):
> ++ self.assertEqual(get_format('DEBUG'), 'DEBUG')
> ++
> +
> + class MiscTests(SimpleTestCase):
> --
> 2.6.2
>
>