[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 65-1] python-django security update



Package        : python-django
Version        : 1.2.3-3+squeeze11
CVE ID         : CVE-2014-0480 CVE-2014-0481 CVE-2014-0482 CVE-2014-0483

This update address an issue with reverse() generating external URLs; a
denial of service involving file uploads; a potential session hijacking
issue in the remote-user middleware; and a data leak in the administrative
interface.

This update has been brought to you thanks to the Debian LTS sponsors:
http://www.freexian.com/services/debian-lts.html

CVE-2014-0480

    Django includes the helper function django.core.urlresolvers.reverse,
    typically used to generate a URL from a reference to a view function or
    URL pattern name. However, when presented with input beginning with two
    forward-slash characters (//), reverse() could generate scheme-relative
    URLs to other hosts, allowing an attacker who is aware of unsafe use of
    reverse() (i.e., in a situation where an end user can control the target
    of a redirect, to take a common example) to generate links to sites of
    their choice, enabling phishing and other attacks.

    To remedy this, URL reversing now ensures that no URL starts with two
    slashes (//), replacing the second slash with its URL encoded counterpart
    (%2F). This approach ensures that semantics stay the same, while making
    the URL relative to the domain and not to the scheme.

CVE-2014-0481

    In the default configuration, when Django's file upload handling system is
    presented with a file that would have the same on-disk path and name as an
    existing file, it attempts to generate a new unique filename by appending
    an underscore and an integer to the end of the (as stored on disk)
    filename, incrementing the integer (i.e., _1, _2, etc.) until it has
    generated a name which does not conflict with any existing file.

    An attacker with knowledge of this can exploit the sequential behavior of
    filename generation by uploading many tiny files which all share a
    filename; Django will, in processing them, generate ever-increasing
    numbers of os.stat() calls as it attempts to generate a unique filename.
    As a result, even a relatively small number of such uploads can
    significantly degrade performance.

    To remedy this, Django's file-upload system will no longer use sequential
    integer names to avoid filename conflicts on disk; instead, a short random
    alphanumeric string will be appended, removing the ability to reliably
    generate many repeatedly-conflicting filenames.

CVE-2014-0482

    Django provides a middleware --
    django.contrib.auth.middleware.RemoteUserMiddleware -- and an
    authentication backend, django.contrib.auth.backends.RemoteUserBackend,
    which use the REMOTE_USER header for authentication purposes.

    In some circumstances, use of this middleware and backend could result in
    one user receiving another user's session, if a change to the REMOTE_USER
    header occurred without corresponding logout/login actions.

    To remedy this, the middleware will now ensure that a change to
    REMOTE_USER without an explicit logout will force a logout and subsequent
    login prior to accepting the new REMOTE_USER.

CVE-2014-0483

    Django's administrative interface, django.contrib.admin, offers a feature
    whereby related objects can be displayed for selection in a popup window.
    The mechanism for this relies on placing values in the URL and querystring
    which specify the related model to display and the field through which the
    relationship is implemented. This mechanism does perform permission checks
    at the level of the model class as a whole.

    This mechanism did not, however, verify that the specified field actually
    represents a relationship between models. Thus a user with access to the
    admin interface, and with sufficient knowledge of model structure and the
    appropriate URLs, could construct popup views which would display the
    values of non-relationship fields, including fields the application
    developer had not intended to expose in such a fashion.

    To remedy this, the admin interface will now, in addition to its normal
    permission checks, verify that the specified field does indeed represent a
    relationship, to a model registered with the admin, and will raise an
    exception if either condition is not true.


-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/

Attachment: signature.asc
Description: Digital signature


Reply to: