Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222029 (CVE-2008-2302) - dev-python/django < 0.96.2 XSS (CVE-2008-2302)
Summary: dev-python/django < 0.96.2 XSS (CVE-2008-2302)
Alias: CVE-2008-2302
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2008-05-14 07:50 UTC by Krzysztof Pawlik (RETIRED)
Modified: 2008-05-26 19:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

django-0.96.1-to-0.96.2.ebuild.patch (django-0.96.1-to-0.96.2.ebuild.patch,1.40 KB, text/plain)
2008-05-26 06:40 UTC, Krzysztof Pawlik (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Krzysztof Pawlik (RETIRED) gentoo-dev 2008-05-14 07:50:17 UTC
Description of vulnerability

The Django administration application will, when accessed by a user who is not sufficiently authenticated, display a login form and ask the user to provide the necessary credentials before displaying the requested page. This form will be submitted to the URL the user attempted to access, by supplying the current request path as the value of the form's "action" attribute.

The value of the request path was not being escaped, creating an opportunity for a cross-site scripting (XSS) attack by leading a user to a URL which contained URL-encoded HTML and/or JavaScript in the request path.
Affected versions

    * Django development trunk
    * Django 0.96
    * Django 0.95
    * Django 0.91


The login form has been changed to escape the request path before use as the form's submission action.

The relevant changesets for affected versions of Django are:

    * Django development trunk: Changeset 7521
    * Django 0.96: Changeset 7527
    * Django 0.95: Changeset 7528
    * Django 0.91: Changeset 7529

The following releases have been issued based on the above changesets:

    * Django 0.96.2
    * Django 0.95.3
    * Django 0.91.2

All users of affected versions of Django are strongly encouraged to apply the relevant patch or upgrade to the relevant patched release as soon as possible.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-14 09:32:37 UTC
Python herd, please bump as necessary
Comment 2 Krzysztof Pawlik (RETIRED) gentoo-dev 2008-05-21 07:38:12 UTC
Bumping it won't be as easy as it seems: in 0.96.2 tarball some directories are missing (like extras, examples). I've filled a bug upstream about that, but it got closed as WONTFIX:, last comment from that bug:

> Actually, the 0.96.1 tarball was generated by an svn export, while 0.96.2 was 
> generated by using the script. What this means, really, is that the 
> script was borked (a known issue), but unfortunately I don't think we 
> can do much about it; the bugfixes branches are really only for critical 
> security fixes.

So the Django code should come from 0.96.2, and the rest from 0.96.1 or use 0.96.1 tarball with a patch.
Comment 3 Krzysztof Pawlik (RETIRED) gentoo-dev 2008-05-26 06:40:07 UTC
Created attachment 154317 [details]

This is a patch for 0.96.1 ebuild to create 0.96.2: it has both versions in SRC_URI and uses the missing directories from 0.96.1.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-05-26 17:56:42 UTC
Krzysiek, feel free to commit the attached patch to CVS. Or do you need additional review?
Comment 5 Krzysztof Pawlik (RETIRED) gentoo-dev 2008-05-26 18:17:16 UTC

Version bump to fix security bug, see bug #222029.
(Portage version:
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-26 18:19:36 UTC
Thanks, closing without stabling and GLSA.