packages/python-django
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Upgrade package to version 4.1.4

Browse Source
This commit is contained in:
chendexi 2022-12-09 13:40:42 +08:00
parent b9ab4bc16a
commit 4cb85ea2f2
4 changed files with 18 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
3.2.12.tar.gz → 4.1.4.tar.gz
View File

Binary file not shown.

92
CVE-2022-34265.patch
View File

@ -1,21 +1,6 @@
From a9010fe5555e6086a9d9ae50069579400ef0685e Mon Sep 17 00:00:00 2001 diff -Naur a/django/db/backends/base/operations.py b/django/db/backends/base/operations.py
From: Mariusz Felisiak <felisiak.mariusz@gmail.com> --- a/django/db/backends/base/operations.py 2022-12-06 17:12:38.000000000 +0800
Date: Wed, 22 Jun 2022 12:44:04 +0200 +++ b/django/db/backends/base/operations.py 2022-12-09 11:49:05.347986919 +0800
Subject: [PATCH] [3.2.x] Fixed CVE-2022-34265 -- Protected
Trunc(kind)/Extract(lookup_name) against SQL injection.
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
---
django/db/backends/base/operations.py | 3 ++
django/db/models/functions/datetime.py | 4 +++
docs/releases/3.2.14.txt | 11 ++++++
.../datetime/test_extract_trunc.py | 34 +++++++++++++++++++
4 files changed, 52 insertions(+)
diff --git a/django/db/backends/base/operations.py b/django/db/backends/base/operations.py
index 0fcc607bcfb0..cdcd9885ba27 100644
--- a/django/db/backends/base/operations.py
+++ b/django/db/backends/base/operations.py
@@ -9,6 +9,7 @@ @@ -9,6 +9,7 @@
from django.db.backends import utils from django.db.backends import utils
from django.utils import timezone from django.utils import timezone
@ -24,20 +9,19 @@ index 0fcc607bcfb0..cdcd9885ba27 100644
class BaseDatabaseOperations: class BaseDatabaseOperations:
@@ -53,6 +54,8 @@ class BaseDatabaseOperations: @@ -53,6 +54,8 @@
# Prefix for EXPLAIN queries, or None EXPLAIN isn't supported. # Prefix for EXPLAIN queries, or None EXPLAIN isn't supported.
explain_prefix = None explain_prefix = None
+ extract_trunc_lookup_pattern = _lazy_re_compile(r"[\w\-_()]+") + extract_trunc_lookup_pattern = _lazy_re_compile(r"[\w\-_()]+")
+ +
def __init__(self, connection): def __init__(self, connection):
self.connection = connection self.connection = connection
self._cache = None diff -Naur a/django/db/models/functions/datetime.py b/django/db/models/functions/datetime.py
diff --git a/django/db/models/functions/datetime.py b/django/db/models/functions/datetime.py --- a/django/db/models/functions/datetime.py 2022-12-06 17:12:38.000000000 +0800
index 90e6f41be057..47651d281f19 100644 +++ b/django/db/models/functions/datetime.py 2022-12-09 11:50:50.011981885 +0800
--- a/django/db/models/functions/datetime.py @@ -51,6 +51,8 @@
+++ b/django/db/models/functions/datetime.py
@@ -41,6 +41,8 @@ def __init__(self, expression, lookup_name=None, tzinfo=None, **extra):
super().__init__(expression, **extra) super().__init__(expression, **extra)
def as_sql(self, compiler, connection): def as_sql(self, compiler, connection):
@ -46,64 +30,12 @@ index 90e6f41be057..47651d281f19 100644
sql, params = compiler.compile(self.lhs) sql, params = compiler.compile(self.lhs)
lhs_output_field = self.lhs.output_field lhs_output_field = self.lhs.output_field
if isinstance(lhs_output_field, DateTimeField): if isinstance(lhs_output_field, DateTimeField):
@@ -192,6 +194,8 @@ def __init__(self, expression, output_field=None, tzinfo=None, is_dst=None, **ex @@ -243,6 +245,8 @@
super().__init__(expression, output_field=output_field, **extra) super().__init__(expression, output_field=output_field, **extra)
def as_sql(self, compiler, connection): def as_sql(self, compiler, connection):
+ if not connection.ops.extract_trunc_lookup_pattern.fullmatch(self.kind): + if not connection.ops.extract_trunc_lookup_pattern.fullmatch(self.kind):
+ raise ValueError("Invalid kind: %s" % self.kind) + raise ValueError("Invalid kind: %s" % self.kind)
inner_sql, inner_params = compiler.compile(self.lhs) sql, params = compiler.compile(self.lhs)
tzname = None tzname = None
if isinstance(self.lhs.output_field, DateTimeField): if isinstance(self.lhs.output_field, DateTimeField):
diff --git a/tests/db_functions/datetime/test_extract_trunc.py b/tests/db_functions/datetime/test_extract_trunc.py
index 258600127f93..27ed3ae63ee5 100644
--- a/tests/db_functions/datetime/test_extract_trunc.py
+++ b/tests/db_functions/datetime/test_extract_trunc.py
@@ -177,6 +177,23 @@ def test_extract_year_lessthan_lookup(self):
self.assertEqual(qs.count(), 1)
self.assertGreaterEqual(str(qs.query).lower().count('extract'), 2)
+ def test_extract_lookup_name_sql_injection(self):
+ start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
+ end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
+ if settings.USE_TZ:
+ start_datetime = timezone.make_aware(start_datetime)
+ end_datetime = timezone.make_aware(end_datetime)
+ self.create_model(start_datetime, end_datetime)
+ self.create_model(end_datetime, start_datetime)
+
+ msg = "Invalid lookup_name: "
+ with self.assertRaisesMessage(ValueError, msg):
+ DTModel.objects.filter(
+ start_datetime__year=Extract(
+ "start_datetime", "day' FROM start_datetime)) OR 1=1;--"
+ )
+ ).exists()
+
def test_extract_func(self):
start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
@@ -620,6 +637,23 @@ def test_extract_second_func(self):
)
self.assertEqual(DTModel.objects.filter(start_datetime__second=ExtractSecond('start_datetime')).count(), 2)
+ def test_trunc_lookup_name_sql_injection(self):
+ start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
+ end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)
+ if settings.USE_TZ:
+ start_datetime = timezone.make_aware(start_datetime)
+ end_datetime = timezone.make_aware(end_datetime)
+ self.create_model(start_datetime, end_datetime)
+ self.create_model(end_datetime, start_datetime)
+ msg = "Invalid kind: "
+ with self.assertRaisesMessage(ValueError, msg):
+ DTModel.objects.filter(
+ start_datetime__date=Trunc(
+ "start_datetime",
+ "year', start_datetime)) OR 1=1;--",
+ )
+ ).exists()
+
def test_trunc_func(self):
start_datetime = datetime(2015, 6, 15, 14, 30, 50, 321)
end_datetime = datetime(2016, 6, 15, 14, 10, 50, 123)

74
backport-CVE-2022-36359.patch
View File

@ -1,74 +0,0 @@
From 8c5a1dfe34ea52cc2af21064a8654bfaa8b7a012 Mon Sep 17 00:00:00 2001
From: Carlton Gibson <carlton.gibson@noumenal.es>
Date: Wed, 27 Jul 2022 10:27:42 +0200
Subject: [PATCH] [3.2.x] Fixed CVE-2022-36359: Escaped filename in
Content-Disposition header.
Thanks to Motoyasu Saburi for the report.
---
django/http/response.py | 4 +++-
docs/releases/3.2.15.txt | 8 ++++++-
tests/responses/test_fileresponse.py | 35 ++++++++++++++++++++++++++++
3 files changed, 45 insertions(+), 2 deletions(-)
diff --git a/django/http/response.py b/django/http/response.py
index 1c22edaff3..73f87d7bda 100644
--- a/django/http/response.py
+++ b/django/http/response.py
@@ -485,7 +485,9 @@ class FileResponse(StreamingHttpResponse):
disposition = 'attachment' if self.as_attachment else 'inline'
try:
filename.encode('ascii')
- file_expr = 'filename="{}"'.format(filename)
+ file_expr = 'filename="{}"'.format(
+ filename.replace('\\', '\\\\').replace('"', r'\"')
+ )
except UnicodeEncodeError:
file_expr = "filename*=utf-8''{}".format(quote(filename))
self.headers['Content-Disposition'] = '{}; {}'.format(disposition, file_expr)
diff --git a/tests/responses/test_fileresponse.py b/tests/responses/test_fileresponse.py
index 46d407bdf5..b4ef82ef3e 100644
--- a/tests/responses/test_fileresponse.py
+++ b/tests/responses/test_fileresponse.py
@@ -89,3 +89,38 @@ class FileResponseTests(SimpleTestCase):
response.headers['Content-Disposition'],
"attachment; filename*=utf-8''%E7%A5%9D%E6%82%A8%E5%B9%B3%E5%AE%89.odt"
)
+
+ def test_content_disposition_escaping(self):
+ # fmt: off
+ tests = [
+ (
+ 'multi-part-one";\" dummy".txt',
+ r"multi-part-one\";\" dummy\".txt"
+ ),
+ ]
+ # fmt: on
+ # Non-escape sequence backslashes are path segments on Windows, and are
+ # eliminated by an os.path.basename() check in FileResponse.
+ if sys.platform != "win32":
+ # fmt: off
+ tests += [
+ (
+ 'multi-part-one\\";\" dummy".txt',
+ r"multi-part-one\\\";\" dummy\".txt"
+ ),
+ (
+ 'multi-part-one\\";\\\" dummy".txt',
+ r"multi-part-one\\\";\\\" dummy\".txt"
+ )
+ ]
+ # fmt: on
+ for filename, escaped in tests:
+ with self.subTest(filename=filename, escaped=escaped):
+ response = FileResponse(
+ io.BytesIO(b"binary content"), filename=filename, as_attachment=True
+ )
+ response.close()
+ self.assertEqual(
+ response.headers["Content-Disposition"],
+ f'attachment; filename="{escaped}"',
+ )
--
2.36.1

10
python-django.spec
View File

@ -1,14 +1,13 @@
%global _empty_manifest_terminate_build 0 %global _empty_manifest_terminate_build 0
Name: python-django Name: python-django
Version: 3.2.12 Version: 4.1.4
Release: 3 Release: 1
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
License: Apache-2.0 and Python-2.0 and BSD-3-Clause License: Apache-2.0 and Python-2.0 and BSD-3-Clause
URL: https://www.djangoproject.com/ URL: https://www.djangoproject.com/
Source0: https://github.com/django/django/archive/refs/tags/3.2.12.tar.gz Source0: https://github.com/django/django/archive/refs/tags/4.1.4.tar.gz
#https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e #https://github.com/django/django/commit/a9010fe5555e6086a9d9ae50069579400ef0685e
Patch0: CVE-2022-34265.patch Patch0: CVE-2022-34265.patch
Patch1: backport-CVE-2022-36359.patch
BuildArch: noarch BuildArch: noarch
@ -76,6 +75,9 @@ mv %{buildroot}/doclist.lst .
%{_docdir}/* %{_docdir}/*
%changelog %changelog
* Fri Dec 09 2022 chendexi <chendexi@kylinos.cn> - 4.1.4-1
- Upgrade package to version 4.1.4
* Tue Aug 09 2022 huangduirong <huangduirong@huawei.com> - 3.2.12-3 * Tue Aug 09 2022 huangduirong <huangduirong@huawei.com> - 3.2.12-3
- Type: bugfix - Type: bugfix
- CVE: CVE-2022-36359 - CVE: CVE-2022-36359