diff options
author | Christian Kampka <christian@kampka.net> | 2015-11-29 10:45:50 +0100 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-11-30 13:44:52 +0000 |
commit | 6a3b86bdf450723e96a5163caa1131622b9b38b1 (patch) | |
tree | 846eaa93690ba537ba4c1b5a9ab516f5e06244b3 | |
parent | 0371fb2874e1c3372201e28fead9b17abab543aa (diff) | |
download | aports-6a3b86bdf450723e96a5163caa1131622b9b38b1.tar.bz2 aports-6a3b86bdf450723e96a5163caa1131622b9b38b1.tar.xz |
main/py-django: security fix CVE-2015-8213
Fixed a settings leak possibility in the date template filter.
ref #4898
-rw-r--r-- | main/py-django/APKBUILD | 27 | ||||
-rw-r--r-- | main/py-django/CVE-2015-8213.patch | 49 |
2 files changed, 69 insertions, 7 deletions
diff --git a/main/py-django/APKBUILD b/main/py-django/APKBUILD index c69947e618..f6e49c4236 100644 --- a/main/py-django/APKBUILD +++ b/main/py-django/APKBUILD @@ -3,17 +3,28 @@ pkgname=py-django _pkgname=Django pkgver=1.5.10 -pkgrel=0 +pkgrel=1 pkgdesc="A high-level Python Web framework" url="http://djangoproject.com/" arch="noarch" license="BSD" depends="python" depends_dev="" -makedepends="python-dev" +makedepends="python-dev py-setuptools" install="" subpackages="" -source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz" +source="http://pypi.python.org/packages/source/${_pkgname:0:1}/$_pkgname/$_pkgname-$pkgver.tar.gz + CVE-2015-8213.patch + " + +prepare() { + cd "$srcdir"/Django-$pkgver + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} _builddir="$srcdir"/$_pkgname-$pkgver build() { @@ -25,7 +36,9 @@ package() { cd "$_builddir" python setup.py install --root "$pkgdir" || return 1 } - -md5sums="b055361f04c0b8e862f8e8ffbb44e464 Django-1.5.10.tar.gz" -sha256sums="7cb4217e740f7d5d6d74617dbb9d960f9c09e8269c6762fe68c6e762219f4018 Django-1.5.10.tar.gz" -sha512sums="5357116870370f7fd06f77e5bfad98f89c6bb131eb2828ded524422d0690d8842c3106e4e92614c374ab2549d205e77c98e4071894f0625dfe69a382171b1834 Django-1.5.10.tar.gz" +md5sums="b055361f04c0b8e862f8e8ffbb44e464 Django-1.5.10.tar.gz +b8697fd93d0b76ae660314b45b65621a CVE-2015-8213.patch" +sha256sums="7cb4217e740f7d5d6d74617dbb9d960f9c09e8269c6762fe68c6e762219f4018 Django-1.5.10.tar.gz +0a7e614cc5efac9edaebaad06dce4ad45bf670ab24aceb168ee5c6735f8c8231 CVE-2015-8213.patch" +sha512sums="5357116870370f7fd06f77e5bfad98f89c6bb131eb2828ded524422d0690d8842c3106e4e92614c374ab2549d205e77c98e4071894f0625dfe69a382171b1834 Django-1.5.10.tar.gz +15598c2de79bcc1f2e0f48ef95ec294b38f9c11affad4cfd6401825daa6be4a4e5eef5af54bab05824b1155b6dd9203c5fde294dbb7ce83b847b0d2315251909 CVE-2015-8213.patch" diff --git a/main/py-django/CVE-2015-8213.patch b/main/py-django/CVE-2015-8213.patch new file mode 100644 index 0000000000..54fe8c29cf --- /dev/null +++ b/main/py-django/CVE-2015-8213.patch @@ -0,0 +1,49 @@ +From 316bc3fc9437c5960c24baceb93c73f1939711e4 Mon Sep 17 00:00:00 2001 +From: Florian Apolloner <florian@apolloner.eu> +Date: Wed, 11 Nov 2015 20:10:55 +0100 +Subject: [PATCH] Fixed a settings leak possibility in the date template + filter. + +This is a security fix. +--- + django/utils/formats.py | 20 ++++++++++++++++++++ + 1 files changed, 20 insertions(+), 0 deletions(-) + +diff --git a/django/utils/formats.py b/django/utils/formats.py +index d2bdda4..8334682 100644 +--- a/django/utils/formats.py ++++ b/django/utils/formats.py +@@ -30,6 +30,24 @@ + } + + ++FORMAT_SETTINGS = frozenset([ ++ 'DECIMAL_SEPARATOR', ++ 'THOUSAND_SEPARATOR', ++ 'NUMBER_GROUPING', ++ 'FIRST_DAY_OF_WEEK', ++ 'MONTH_DAY_FORMAT', ++ 'TIME_FORMAT', ++ 'DATE_FORMAT', ++ 'DATETIME_FORMAT', ++ 'SHORT_DATE_FORMAT', ++ 'SHORT_DATETIME_FORMAT', ++ 'YEAR_MONTH_FORMAT', ++ 'DATE_INPUT_FORMATS', ++ 'TIME_INPUT_FORMATS', ++ 'DATETIME_INPUT_FORMATS', ++]) ++ ++ + def reset_format_cache(): + """Clear any cached formats. + +@@ -92,6 +110,8 @@ def get_format(format_type, lang=None, use_l10n=None): + be localized (or not), overriding the value of settings.USE_L10N. + """ + format_type = force_str(format_type) ++ if format_type not in FORMAT_SETTINGS: ++ return format_type + if use_l10n or (use_l10n is None and settings.USE_L10N): + if lang is None: + lang = get_language() |