debian/0000755000000000000000000000000013415171706007173 5ustar debian/python-django.install0000644000000000000000000000007213010653601013331 0ustar usr/ extras/django_bash_completion etc/bash_completion.d/ debian/rules0000755000000000000000000000473513010653601010252 0ustar #!/usr/bin/make -f -include /usr/share/python/python.mk ifeq (,$(py_sitename)) py_sitename = site-packages py_libdir = /usr/lib/python$(subst python,,$(1))/site-packages py_sitename_sh = $(py_sitename) py_libdir_sh = $(py_libdir) endif PREFIX = debian/python-django %: dh $@ --with sphinxdoc,python2 override_dh_auto_clean: rm -rf docs.debian tests/__init__.py find -name "*.DS_Store" -delete chmod a-x django/contrib/gis/tests/data/texas.dbf dh_auto_clean override_dh_auto_build: dh_auto_build # Build the HTML documentation. # We programmatically replace most instances of django-admin.py with # django-admin and remove the source files from the target _build. cp -r docs docs.debian find docs.debian -type f -print0 | xargs -0r perl -pi -e 's|(? XSBC-Original-Maintainer: Debian Python Modules Team Uploaders: Luke Faraone , Raphaël Hertzog , Chris Lamb Standards-Version: 3.9.5 Build-Depends: debhelper (>= 9), python (>= 2.6.6-3~), python-sphinx (>= 1.0.8), locales (>= 0), python-mock Build-Depends-Indep: libjs-jquery Homepage: http://www.djangoproject.com/ Vcs-Svn: svn://anonscm.debian.org/python-modules/packages/python-django/trunk/ Vcs-Browser: http://anonscm.debian.org/viewvc/python-modules/packages/python-django/trunk/ Package: python-django Architecture: all Depends: ${misc:Depends}, ${python:Depends} Recommends: libjs-jquery Suggests: python-psycopg2, python-psycopg, python-mysqldb, python-flup, python-sqlite, python-yaml, geoip-database-contrib, gettext, python-django-doc, ipython, bpython, libgdal1 Description: High-level Python web development framework Django is a high-level web application framework that loosely follows the model-view-controller design pattern. . Python's equivalent to Ruby on Rails, Django lets you build complex data-driven websites quickly and easily - Django focuses on automating as much as possible and adhering to the "Don't Repeat Yourself" (DRY) principle. . Django additionally emphasizes reusability and "pluggability" of components; many generic third-party "applications" are available to enhance projects or to simply to reduce development time even further. . Notable features include: * An object-relational mapper (ORM) * Automatic admin interface * Elegant URL dispatcher * Form serialization and validation system * Templating system * Lightweight, standalone web server for development and testing * Internationalization support * Testing framework and client Package: python-django-doc Section: doc Architecture: all Depends: ${misc:Depends}, ${sphinxdoc:Depends} Description: High-level Python web development framework (documentation) Django is a high-level web application framework that loosely follows the model-view-controller design pattern. . Python's equivalent to Ruby on Rails, Django lets you build complex data-driven websites quickly and easily - Django focuses on automating as much as possible and adhering to the "Don't Repeat Yourself" (DRY) principle. . Django additionally emphasizes reusability and "pluggability" of components; many generic third-party "applications" are available to enhance projects or to simply to reduce development time even further. . This package contains the HTML documentation and example projects. debian/python-django-doc.doc-base0000644000000000000000000000147313010653601014111 0ustar Document: python-django-doc Title: Python Django Documentation Author: Django Software Foundation Abstract: This documentation gives an introduction to Django and its contributed packages like its automatic admin and the user authentication applications. Section: Programming/Python Format: HTML Index: /usr/share/doc/python-django-doc/html/index.html Files: /usr/share/doc/python-django-doc/html/*.html /usr/share/doc/python-django-doc/html/faq/*.html /usr/share/doc/python-django-doc/html/howto/*.html /usr/share/doc/python-django-doc/html/internals/*.html /usr/share/doc/python-django-doc/html/intro/*.html /usr/share/doc/python-django-doc/html/misc/*.html /usr/share/doc/python-django-doc/html/ref/*.html /usr/share/doc/python-django-doc/html/releases/*.html /usr/share/doc/python-django-doc/html/topics/*.html debian/watch0000644000000000000000000000026613010653601010216 0ustar version=3 opts=filenamemangle=s/.*\/download\/(.*)\/tarball\//Django-$1.tar.gz/,uversionmangle=s/-(alpha|beta)-/~$1/ \ http://www.djangoproject.com/download/ .*/([^/]+)/tarball/ debian/patches/0000755000000000000000000000000013415171476010626 5ustar debian/patches/CVE-2016-2512-regression.patch0000644000000000000000000000474313010653625015417 0ustar Description: fix is_safe_url() with non-unicode url Origin: backport, https://github.com/django/django/commit/ada7a4aefb9bec4c34667b511022be6057102f98 Origin: backport, https://github.com/django/django/commit/552f03869ea7f3072b3fa19ffb6cb2d957fd8447 Bug: https://code.djangoproject.com/ticket/26308 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/python-django/+bug/1553251 Index: python-django-1.6.1/django/utils/http.py =================================================================== --- python-django-1.6.1.orig/django/utils/http.py 2016-03-07 08:49:54.932912221 -0500 +++ python-django-1.6.1/django/utils/http.py 2016-03-07 08:49:54.928912174 -0500 @@ -258,6 +258,11 @@ url = url.strip() if not url: return False + if six.PY2: + try: + url = force_text(url) + except UnicodeDecodeError: + return False # Chrome treats \ completely as / in paths but it could be part of some # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) Index: python-django-1.6.1/tests/utils_tests/test_http.py =================================================================== --- python-django-1.6.1.orig/tests/utils_tests/test_http.py 2016-03-07 08:49:54.932912221 -0500 +++ python-django-1.6.1/tests/utils_tests/test_http.py 2016-03-07 08:49:54.928912174 -0500 @@ -1,3 +1,4 @@ +# -*- encoding: utf-8 -*- from __future__ import unicode_literals from datetime import datetime @@ -132,6 +133,17 @@ 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) + + if six.PY2: + # Check binary URLs, regression tests for #26308 + self.assertTrue( + http.is_safe_url(b'https://testserver/', host='testserver'), + "binary URLs should be allowed on Python 2" + ) + self.assertFalse(http.is_safe_url(b'\x08//example.com', host='testserver')) + self.assertTrue(http.is_safe_url('àview/'.encode('utf-8'), host='testserver')) + self.assertFalse(http.is_safe_url('àview'.encode('latin-1'), host='testserver')) + # Valid basic auth credentials are allowed. self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) # A path without host is allowed. debian/patches/series0000644000000000000000000000073713415171176012047 0ustar 02_disable-sources-in-sphinxdoc.diff 03_manpage.diff 06_use_debian_geoip_database_as_default.diff 99_fix_multipart_base64_decoding_large_files.patch file-encoding.diff CVE-2015-5143.patch CVE-2015-5144.patch CVE-2015-596x.patch CVE-2015-8213.patch CVE-2016-2512.patch CVE-2016-2513.patch CVE-2016-2512-regression.patch CVE-2016-7401.patch CVE-2016-9013.patch CVE-2016-9014.patch CVE-2017-7233.patch CVE-2017-7234.patch CVE-2018-7536.patch CVE-2018-7537.patch CVE-2019-3498.patch debian/patches/CVE-2015-5143.patch0000644000000000000000000001444613010654116013240 0ustar Backport of: commit ac4a54705fb9cdde832d07667843b45b208f9aad Author: Carl Meyer Date: Wed Jun 10 15:45:20 2015 -0600 [1.7.x] Fixed #19324 -- Avoided creating a session record when loading the session. The session record is now only created if/when the session is modified. This prevents a potential DoS via creation of many empty session records. This is a security fix; disclosure to follow shortly. Index: python-django-1.6.11/django/contrib/sessions/backends/cache.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/backends/cache.py 2016-11-09 12:09:25.740446544 -0500 +++ python-django-1.6.11/django/contrib/sessions/backends/cache.py 2016-11-09 12:09:25.740446544 -0500 @@ -27,7 +27,7 @@ session_data = None if session_data is not None: return session_data - self.create() + self._session_key = None return {} def create(self): @@ -49,6 +49,8 @@ "It is likely that the cache is unavailable.") def save(self, must_create=False): + if self.session_key is None: + return self.create() if must_create: func = self._cache.add else: @@ -60,7 +62,7 @@ raise CreateError def exists(self, session_key): - return (KEY_PREFIX + session_key) in self._cache + return session_key and (KEY_PREFIX + session_key) in self._cache def delete(self, session_key=None): if session_key is None: Index: python-django-1.6.11/django/contrib/sessions/backends/cached_db.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/backends/cached_db.py 2016-11-09 12:09:25.740446544 -0500 +++ python-django-1.6.11/django/contrib/sessions/backends/cached_db.py 2016-11-09 12:09:25.740446544 -0500 @@ -49,12 +49,12 @@ logger = logging.getLogger('django.security.%s' % e.__class__.__name__) logger.warning(force_text(e)) - self.create() + self._session_key = None data = {} return data def exists(self, session_key): - if (KEY_PREFIX + session_key) in cache: + if session_key and (KEY_PREFIX + session_key) in cache: return True return super(SessionStore, self).exists(session_key) Index: python-django-1.6.11/django/contrib/sessions/backends/db.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/backends/db.py 2016-11-09 12:09:25.740446544 -0500 +++ python-django-1.6.11/django/contrib/sessions/backends/db.py 2016-11-09 12:09:25.740446544 -0500 @@ -25,7 +25,7 @@ logger = logging.getLogger('django.security.%s' % e.__class__.__name__) logger.warning(force_text(e)) - self.create() + self._session_key = None return {} def exists(self, session_key): @@ -42,7 +42,6 @@ # Key wasn't unique. Try again. continue self.modified = True - self._session_cache = {} return def save(self, must_create=False): @@ -52,6 +51,8 @@ create a *new* entry (as opposed to possibly updating an existing entry). """ + if self.session_key is None: + return self.create() obj = Session( session_key=self._get_or_create_session_key(), session_data=self.encode(self._get_session(no_load=must_create)), Index: python-django-1.6.11/django/contrib/sessions/backends/file.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/backends/file.py 2016-11-09 12:09:25.740446544 -0500 +++ python-django-1.6.11/django/contrib/sessions/backends/file.py 2016-11-09 12:09:25.740446544 -0500 @@ -95,7 +95,7 @@ self.delete() self.create() except (IOError, SuspiciousOperation): - self.create() + self._session_key = None return session_data def create(self): @@ -106,10 +106,11 @@ except CreateError: continue self.modified = True - self._session_cache = {} return def save(self, must_create=False): + if self.session_key is None: + return self.create() # Get the session data now, before we start messing # with the file it is stored within. session_data = self._get_session(no_load=must_create) Index: python-django-1.6.11/django/contrib/sessions/tests.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/tests.py 2016-11-09 12:09:25.740446544 -0500 +++ python-django-1.6.11/django/contrib/sessions/tests.py 2016-11-09 12:09:25.740446544 -0500 @@ -169,6 +169,11 @@ self.assertNotEqual(self.session.session_key, prev_key) self.assertEqual(list(self.session.items()), prev_data) + def test_save_doesnt_clear_data(self): + self.session['a'] = 'b' + self.session.save() + self.assertEqual(self.session['a'], 'b') + def test_invalid_key(self): # Submitting an invalid session key (either by guessing, or if the db has # removed the key) results in a new key being generated. @@ -305,6 +310,21 @@ self.session.delete(old_session_key) self.session.delete(new_session_key) + def test_session_load_does_not_create_record(self): + """ + Loading an unknown session key does not create a session record. + + Creating session records on load is a DOS vulnerability. + """ + if self.backend is CookieSession: + raise unittest.SkipTest("Cookie backend doesn't have an external store to create records in.") + session = self.backend('someunknownkey') + session.load() + + self.assertFalse(session.exists(session.session_key)) + # provided unknown key was cycled, not reused + self.assertNotEqual(session.session_key, 'someunknownkey') + class DatabaseSessionTests(SessionTestsMixin, TestCase): debian/patches/CVE-2018-7536.patch0000644000000000000000000000706313247253305013257 0ustar Backport of: commit 89b1fd64bd9da42d78502dc111554334cc5ca465 Author: Tim Graham Date: Sat Feb 24 11:30:11 2018 -0500 [1.8.x] Fixed CVE-2018-7536 -- Fixed catastrophic backtracking in urlize and urlizetrunc template filters. Thanks Florian Apolloner for assisting with the patch. Index: python-django-1.6.11/django/utils/html.py =================================================================== --- python-django-1.6.11.orig/django/utils/html.py 2018-03-05 15:34:05.647963050 +0100 +++ python-django-1.6.11/django/utils/html.py 2018-03-05 15:35:37.214234855 +0100 @@ -25,7 +25,6 @@ unencoded_ampersands_re = re.compile(r'& word_split_re = re.compile(r'(\s+)') simple_url_re = re.compile(r'^https?://\[?\w', re.IGNORECASE) simple_url_2_re = re.compile(r'^www\.|^(?!http)\w[^@]+\.(com|edu|gov|int|mil|net|org)$', re.IGNORECASE) -simple_email_re = re.compile(r'^\S+@\S+\.\S+$') link_target_attribute_re = re.compile(r'(]*?)target=[^\s>]+') html_gunk_re = re.compile(r'(?:
|<\/i>|<\/b>|<\/em>|<\/strong>|<\/?smallcaps>|<\/?uppercase>)', re.IGNORECASE) hard_coded_bullets_re = re.compile(r'((?:

(?:%s).*?[a-zA-Z].*?

\s*)+)' % '|'.join([re.escape(x) for x in DOTS]), re.DOTALL) @@ -233,6 +232,22 @@ def urlize(text, trim_url_limit=None, no if limit is None or len(x) <= limit: return x return '%s...' % x[:max(0, limit - 3)] + + def is_email_simple(value): + """Return True if value looks like an email address.""" + # An @ must be in the middle of the value. + if '@' not in value or value.startswith('@') or value.endswith('@'): + return False + try: + p1, p2 = value.split('@') + except ValueError: + # value contains more than one @. + return False + # Dot must be in p2 (e.g. example.com) + if '.' not in p2 or p2.startswith('.'): + return False + return True + safe_input = isinstance(text, SafeData) words = word_split_re.split(force_text(text)) for i, word in enumerate(words): @@ -261,7 +276,7 @@ def urlize(text, trim_url_limit=None, no url = smart_urlquote(middle) elif simple_url_2_re.match(middle): url = smart_urlquote('http://%s' % middle) - elif not ':' in middle and simple_email_re.match(middle): + elif not ':' in middle and is_email_simple(middle): local, domain = middle.rsplit('@', 1) try: domain = domain.encode('idna').decode('ascii') Index: python-django-1.6.11/tests/utils_tests/test_html.py =================================================================== --- python-django-1.6.11.orig/tests/utils_tests/test_html.py 2018-03-05 15:34:05.647963050 +0100 +++ python-django-1.6.11/tests/utils_tests/test_html.py 2018-03-05 15:36:02.525819671 +0100 @@ -203,3 +203,11 @@ class TestUtilsHtml(TestCase): self.assertEqual(quote('http://example.com/path/öäü/'), 'http://example.com/path/%C3%B6%C3%A4%C3%BC/') self.assertEqual(quote('http://example.com/%C3%B6/ä/'), 'http://example.com/%C3%B6/%C3%A4/') self.assertEqual(quote('http://example.com/?x=1&y=2'), 'http://example.com/?x=1&y=2') + + def test_urlize_unchanged_inputs(self): + tests = ( + ('a' + '@a' * 50000) + 'a', # simple_email_re catastrophic test + ('a' + '.' * 1000000) + 'a', # trailing_punctuation catastrophic test + ) + for value in tests: + self.assertEqual(html.urlize(value), value) debian/patches/CVE-2019-3498.patch0000644000000000000000000000456313415171476013272 0ustar Backport of: From 1cd00fcf52d089ef0fe03beabd05d59df8ea052a Mon Sep 17 00:00:00 2001 From: Tom Hacohen Date: Fri, 4 Jan 2019 02:21:55 +0000 Subject: [PATCH] [1.11.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page. Co-Authored-By: Tim Graham Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master. --- django/views/defaults.py | 8 +++++--- docs/releases/1.11.18.txt | 18 ++++++++++++++++++ docs/releases/index.txt | 1 + tests/handlers/tests.py | 12 ++++++++---- 4 files changed, 32 insertions(+), 7 deletions(-) create mode 100644 docs/releases/1.11.18.txt Index: python-django-1.6.11/django/views/defaults.py =================================================================== --- python-django-1.6.11.orig/django/views/defaults.py 2019-01-08 13:57:15.738954692 -0500 +++ python-django-1.6.11/django/views/defaults.py 2019-01-08 13:58:51.535297176 -0500 @@ -4,7 +4,7 @@ from django import http from django.template import (Context, RequestContext, loader, Template, TemplateDoesNotExist) from django.views.decorators.csrf import requires_csrf_token - +from django.utils.http import urlquote # This can be called when CsrfViewMiddleware.process_view has not run, # therefore need @requires_csrf_token in case the template needs @@ -17,7 +17,8 @@ def page_not_found(request, template_nam Templates: :template:`404.html` Context: request_path - The path of the requested URL (e.g., '/app/pages/bad_page/') + The path of the requested URL (e.g., '/app/pages/bad_page/'). It's + quoted to prevent a content injection attack. """ try: template = loader.get_template(template_name) @@ -25,9 +26,9 @@ def page_not_found(request, template_nam except TemplateDoesNotExist: template = Template( '

Not Found

' - '

The requested URL {{ request_path }} was not found on this server.

') + '

The requested resource was not found on this server.

') content_type = 'text/html' - body = template.render(RequestContext(request, {'request_path': request.path})) + body = template.render(RequestContext(request, {'request_path': urlquote(request.path)})) return http.HttpResponseNotFound(body, content_type=content_type) debian/patches/CVE-2016-7401.patch0000644000000000000000000001617713010653625013247 0ustar Backport of: commit 6118ab7d0676f0d622278e5be215f14fb5410b6a Author: Collin Anderson Date: Fri Mar 11 21:36:08 2016 -0500 [1.8.x] Fixed CVE-2016-7401 -- Fixed CSRF protection bypass on a site with Google Analytics. This is a security fix. Backport of "refs #26158 -- rewrote http.parse_cookie() to better match browsers." 93a135d111c2569d88d65a3f4ad9e6d9ad291452 from master Index: python-django-1.6.1/django/http/cookie.py =================================================================== --- python-django-1.6.1.orig/django/http/cookie.py 2016-09-26 07:32:26.955407131 -0400 +++ python-django-1.6.1/django/http/cookie.py 2016-09-26 07:32:26.951407087 -0400 @@ -69,18 +69,21 @@ def parse_cookie(cookie): - if cookie == '': - return {} - if not isinstance(cookie, http_cookies.BaseCookie): - try: - c = SimpleCookie() - c.load(cookie) - except http_cookies.CookieError: - # Invalid cookie - return {} - else: - c = cookie + """ + Return a dictionary parsed from a `Cookie:` header string. + """ cookiedict = {} - for key in c.keys(): - cookiedict[key] = c.get(key).value + if six.PY2: + cookie = force_str(cookie) + for chunk in cookie.split(str(';')): + if str('=') in chunk: + key, val = chunk.split(str('='), 1) + else: + # Assume an empty name per + # https://bugzilla.mozilla.org/show_bug.cgi?id=169091 + key, val = str(''), chunk + key, val = key.strip(), val.strip() + if key or val: + # unquote using Python's algorithm. + cookiedict[key] = http_cookies._unquote(val) return cookiedict Index: python-django-1.6.1/tests/httpwrappers/tests.py =================================================================== --- python-django-1.6.1.orig/tests/httpwrappers/tests.py 2016-09-26 07:32:26.955407131 -0400 +++ python-django-1.6.1/tests/httpwrappers/tests.py 2016-09-26 07:34:58.633136271 -0400 @@ -15,7 +15,7 @@ SimpleCookie, BadHeaderError, parse_cookie) from django.test import TestCase -from django.utils.encoding import smart_str, force_text +from django.utils.encoding import force_str, force_text, smart_str from django.utils.functional import lazy from django.utils._os import upath from django.utils import six @@ -591,6 +591,8 @@ c2 = SimpleCookie() c2.load(c.output()) self.assertEqual(c['test'].value, c2['test'].value) + c3 = parse_cookie(c.output()[12:]) + self.assertEqual(c['test'].value, c3['test']) def test_decode_2(self): """ @@ -601,6 +603,8 @@ c2 = SimpleCookie() c2.load(c.output()) self.assertEqual(c['test'].value, c2['test'].value) + c3 = parse_cookie(c.output()[12:]) + self.assertEqual(c['test'].value, c3['test']) def test_nonstandard_keys(self): """ @@ -614,6 +618,52 @@ """ self.assertTrue('good_cookie' in parse_cookie('a:=b; a:=c; good_cookie=yes').keys()) + def test_python_cookies(self): + """ + Test cases copied from Python's Lib/test/test_http_cookies.py + """ + self.assertEqual(parse_cookie('chips=ahoy; vienna=finger'), {'chips': 'ahoy', 'vienna': 'finger'}) + # Here parse_cookie() differs from Python's cookie parsing in that it + # treats all semicolons as delimiters, even within quotes. + self.assertEqual( + parse_cookie('keebler="E=mc2; L=\\"Loves\\"; fudge=\\012;"'), + {'keebler': '"E=mc2', 'L': '\\"Loves\\"', 'fudge': '\\012', '': '"'} + ) + # Illegal cookies that have an '=' char in an unquoted value. + self.assertEqual(parse_cookie('keebler=E=mc2'), {'keebler': 'E=mc2'}) + # Cookies with ':' character in their name. + self.assertEqual(parse_cookie('key:term=value:term'), {'key:term': 'value:term'}) + # Cookies with '[' and ']'. + self.assertEqual(parse_cookie('a=b; c=[; d=r; f=h'), {'a': 'b', 'c': '[', 'd': 'r', 'f': 'h'}) + + def test_cookie_edgecases(self): + # Cookies that RFC6265 allows. + self.assertEqual(parse_cookie('a=b; Domain=example.com'), {'a': 'b', 'Domain': 'example.com'}) + # parse_cookie() has historically kept only the last cookie with the + # same name. + self.assertEqual(parse_cookie('a=b; h=i; a=c'), {'a': 'c', 'h': 'i'}) + + def test_invalid_cookies(self): + """ + Cookie strings that go against RFC6265 but browsers will send if set + via document.cookie. + """ + # Chunks without an equals sign appear as unnamed values per + # https://bugzilla.mozilla.org/show_bug.cgi?id=169091 + self.assertIn('django_language', parse_cookie('abc=def; unnamed; django_language=en').keys()) + # Even a double quote may be an unamed value. + self.assertEqual(parse_cookie('a=b; "; c=d'), {'a': 'b', '': '"', 'c': 'd'}) + # Spaces in names and values, and an equals sign in values. + self.assertEqual(parse_cookie('a b c=d e = f; gh=i'), {'a b c': 'd e = f', 'gh': 'i'}) + # More characters the spec forbids. + self.assertEqual(parse_cookie('a b,c<>@:/[]?{}=d " =e,f g'), {'a b,c<>@:/[]?{}': 'd " =e,f g'}) + # Unicode characters. The spec only allows ASCII. + self.assertEqual(parse_cookie('saint=André Bessette'), {'saint': force_str('André Bessette')}) + # Browsers don't send extra whitespace or semicolons in Cookie headers, + # but parse_cookie() should parse whitespace the same way + # document.cookie parses whitespace. + self.assertEqual(parse_cookie(' = b ; ; = ; c = ; '), {'': 'b', 'c': ''}) + def test_httponly_after_load(self): """ Test that we can use httponly attribute on cookies that we load Index: python-django-1.6.1/tests/requests/tests.py =================================================================== --- python-django-1.6.1.orig/tests/requests/tests.py 2016-09-26 07:32:26.955407131 -0400 +++ python-django-1.6.1/tests/requests/tests.py 2016-09-26 07:35:18.065361974 -0400 @@ -10,7 +10,7 @@ from django.core import signals from django.core.exceptions import SuspiciousOperation from django.core.handlers.wsgi import WSGIRequest, LimitedStream -from django.http import HttpRequest, HttpResponse, parse_cookie, build_request_repr, UnreadablePostError +from django.http import HttpRequest, HttpResponse, build_request_repr, UnreadablePostError from django.test import SimpleTestCase, TransactionTestCase from django.test.client import FakePayload from django.test.utils import override_settings, str_prefix @@ -110,9 +110,6 @@ request = WSGIRequest({'PATH_INFO': wsgi_str("/سلام/"), 'REQUEST_METHOD': 'get', 'wsgi.input': BytesIO(b'')}) self.assertEqual(request.path, "/سلام/") - def test_parse_cookie(self): - self.assertEqual(parse_cookie('invalid@key=true'), {}) - def test_httprequest_location(self): request = HttpRequest() self.assertEqual(request.build_absolute_uri(location="https://www.example.com/asdf"), debian/patches/CVE-2015-596x.patch0000644000000000000000000002623513010654215013356 0ustar Backport of: commit 26bc57fa31071144c7adcb765b5dac7d0a3c25de Author: Tim Graham Date: Wed Aug 5 17:44:48 2015 -0400 [1.7.x] Fixed DoS possiblity in contrib.auth.views.logout() Refs #20936 -- When logging out/ending a session, don't create a new, empty session. Previously, when logging out, the existing session was overwritten by a new sessionid instead of deleting the session altogether. This behavior added overhead by creating a new session record in whichever backend was in use: db, cache, etc. This extra session is unnecessary at the time since no session data is meant to be preserved when explicitly logging out. Backport of 393c0e24223c701edeb8ce7dc9d0f852f0c081ad, 088579638b160f3716dc81d194be70c72743593f, and 2dee853ed4def42b7ef1b3b472b395055543cc00 from master Thanks Florian Apolloner and Carl Meyer for review. This is a security fix. Index: python-django-1.6.11/django/contrib/sessions/backends/base.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/backends/base.py 2016-10-10 22:38:13.325396930 -0400 +++ python-django-1.6.11/django/contrib/sessions/backends/base.py 2016-10-10 22:38:13.317396930 -0400 @@ -140,6 +140,13 @@ self.accessed = True self.modified = True + def is_empty(self): + "Returns True when there is no session_key and the session is empty" + try: + return not bool(self._session_key) and not self._session_cache + except AttributeError: + return True + def _get_new_session_key(self): "Returns session key that isn't being used." while True: @@ -266,7 +273,7 @@ """ self.clear() self.delete() - self.create() + self._session_key = None def cycle_key(self): """ Index: python-django-1.6.11/django/contrib/sessions/backends/cached_db.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/backends/cached_db.py 2016-10-10 22:38:13.325396930 -0400 +++ python-django-1.6.11/django/contrib/sessions/backends/cached_db.py 2016-10-10 22:38:13.317396930 -0400 @@ -77,7 +77,7 @@ """ self.clear() self.delete(self.session_key) - self.create() + self._session_key = None # At bottom to avoid circular import Index: python-django-1.6.11/django/contrib/sessions/middleware.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/middleware.py 2016-10-10 22:38:13.325396930 -0400 +++ python-django-1.6.11/django/contrib/sessions/middleware.py 2016-10-10 22:38:13.317396930 -0400 @@ -14,32 +14,40 @@ def process_response(self, request, response): """ If request.session was modified, or if the configuration is to save the - session every time, save the changes and set a session cookie. + session every time, save the changes and set a session cookie or delete + the session cookie if the session has been emptied. """ try: accessed = request.session.accessed modified = request.session.modified + empty = request.session.is_empty() except AttributeError: pass else: - if accessed: - patch_vary_headers(response, ('Cookie',)) - if modified or settings.SESSION_SAVE_EVERY_REQUEST: - if request.session.get_expire_at_browser_close(): - max_age = None - expires = None - else: - max_age = request.session.get_expiry_age() - expires_time = time.time() + max_age - expires = cookie_date(expires_time) - # Save the session data and refresh the client cookie. - # Skip session save for 500 responses, refs #3881. - if response.status_code != 500: - request.session.save() - response.set_cookie(settings.SESSION_COOKIE_NAME, - request.session.session_key, max_age=max_age, - expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, - path=settings.SESSION_COOKIE_PATH, - secure=settings.SESSION_COOKIE_SECURE or None, - httponly=settings.SESSION_COOKIE_HTTPONLY or None) + # First check if we need to delete this cookie. + # The session should be deleted only if the session is entirely empty + if settings.SESSION_COOKIE_NAME in request.COOKIES and empty: + response.delete_cookie(settings.SESSION_COOKIE_NAME, + domain=settings.SESSION_COOKIE_DOMAIN) + else: + if accessed: + patch_vary_headers(response, ('Cookie',)) + if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty: + if request.session.get_expire_at_browser_close(): + max_age = None + expires = None + else: + max_age = request.session.get_expiry_age() + expires_time = time.time() + max_age + expires = cookie_date(expires_time) + # Save the session data and refresh the client cookie. + # Skip session save for 500 responses, refs #3881. + if response.status_code != 500: + request.session.save() + response.set_cookie(settings.SESSION_COOKIE_NAME, + request.session.session_key, max_age=max_age, + expires=expires, domain=settings.SESSION_COOKIE_DOMAIN, + path=settings.SESSION_COOKIE_PATH, + secure=settings.SESSION_COOKIE_SECURE or None, + httponly=settings.SESSION_COOKIE_HTTPONLY or None) return response Index: python-django-1.6.11/django/contrib/sessions/tests.py =================================================================== --- python-django-1.6.11.orig/django/contrib/sessions/tests.py 2016-10-10 22:38:13.325396930 -0400 +++ python-django-1.6.11/django/contrib/sessions/tests.py 2016-10-10 22:38:13.317396930 -0400 @@ -157,6 +157,7 @@ self.session.flush() self.assertFalse(self.session.exists(prev_key)) self.assertNotEqual(self.session.session_key, prev_key) + self.assertIsNone(self.session.session_key) self.assertTrue(self.session.modified) self.assertTrue(self.session.accessed) @@ -586,6 +587,75 @@ # Check that the value wasn't saved above. self.assertNotIn('hello', request.session.load()) + def test_session_delete_on_end(self): + request = RequestFactory().get('/') + response = HttpResponse('Session test') + middleware = SessionMiddleware() + + # Before deleting, there has to be an existing cookie + request.COOKIES[settings.SESSION_COOKIE_NAME] = 'abc' + + # Simulate a request that ends the session + middleware.process_request(request) + request.session.flush() + + # Handle the response through the middleware + response = middleware.process_response(request, response) + + # Check that the cookie was deleted, not recreated. + # A deleted cookie header looks like: + # Set-Cookie: sessionid=; expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ + self.assertEqual( + 'Set-Cookie: {0}=; expires=Thu, 01-Jan-1970 00:00:00 GMT; ' + 'Max-Age=0; Path=/'.format(settings.SESSION_COOKIE_NAME), + str(response.cookies[settings.SESSION_COOKIE_NAME]) + ) + + @override_settings(SESSION_COOKIE_DOMAIN='.example.local') + def test_session_delete_on_end_with_custom_domain(self): + request = RequestFactory().get('/') + response = HttpResponse('Session test') + middleware = SessionMiddleware() + + # Before deleting, there has to be an existing cookie + request.COOKIES[settings.SESSION_COOKIE_NAME] = 'abc' + + # Simulate a request that ends the session + middleware.process_request(request) + request.session.flush() + + # Handle the response through the middleware + response = middleware.process_response(request, response) + + # Check that the cookie was deleted, not recreated. + # A deleted cookie header with a custom domain looks like: + # Set-Cookie: sessionid=; Domain=.example.local; + # expires=Thu, 01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/ + self.assertEqual( + 'Set-Cookie: {}=; Domain=.example.local; expires=Thu, ' + '01-Jan-1970 00:00:00 GMT; Max-Age=0; Path=/'.format( + settings.SESSION_COOKIE_NAME, + ), + str(response.cookies[settings.SESSION_COOKIE_NAME]) + ) + + def test_flush_empty_without_session_cookie_doesnt_set_cookie(self): + request = RequestFactory().get('/') + response = HttpResponse('Session test') + middleware = SessionMiddleware() + + # Simulate a request that ends the session + middleware.process_request(request) + request.session.flush() + + # Handle the response through the middleware + response = middleware.process_response(request, response) + + # A cookie should not be set. + self.assertEqual(response.cookies, {}) + # The session is accessed so "Vary: Cookie" should be set. + self.assertEqual(response['Vary'], 'Cookie') + class CookieSessionTests(SessionTestsMixin, TestCase): Index: python-django-1.6.11/docs/topics/http/sessions.txt =================================================================== --- python-django-1.6.11.orig/docs/topics/http/sessions.txt 2016-10-10 22:38:13.325396930 -0400 +++ python-django-1.6.11/docs/topics/http/sessions.txt 2016-10-10 22:38:13.321396930 -0400 @@ -225,12 +225,18 @@ .. method:: flush() - Delete the current session data from the session and regenerate the - session key value that is sent back to the user in the cookie. This is - used if you want to ensure that the previous session data can't be - accessed again from the user's browser (for example, the + Deletes the current session data from the session and deletes the session + cookie. This is used if you want to ensure that the previous session data + can't be accessed again from the user's browser (for example, the :func:`django.contrib.auth.logout()` function calls it). + .. versionchanged:: 1.7.10 (1.6.11 + CVE-2015-596x.patch) + + Deletion of the session cookie was added. Previously, the behavior + was to regenerate the session key value that was sent back to the + user in the cookie, but this could be a denial-of-service + vulnerability. + .. method:: set_test_cookie() Sets a test cookie to determine whether the user's browser supports debian/patches/CVE-2017-7234.patch0000644000000000000000000000435113066716224013251 0ustar Backport of: commit c430f192ee13ae23c5123e77c989826d08ebec4f Author: Tim Graham Date: Tue Mar 14 12:33:15 2017 -0400 [1.8.x] Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve(). This is a security fix. Index: python-django-1.6.11/django/views/static.py =================================================================== --- python-django-1.6.11.orig/django/views/static.py 2017-03-29 07:37:13.017962523 -0400 +++ python-django-1.6.11/django/views/static.py 2017-03-29 07:37:39.706275017 -0400 @@ -11,8 +11,9 @@ import re from django.http import (CompatibleStreamingHttpResponse, Http404, - HttpResponse, HttpResponseRedirect, HttpResponseNotModified) + HttpResponse, HttpResponseNotModified) from django.template import loader, Template, Context, TemplateDoesNotExist +from django.utils._os import safe_join from django.utils.http import http_date, parse_http_date from django.utils.six.moves.urllib.parse import unquote from django.utils.translation import ugettext as _, ugettext_noop @@ -34,25 +35,11 @@ but if you'd like to override it, you can create a template called ``static/directory_index.html``. """ - path = posixpath.normpath(unquote(path)) - path = path.lstrip('/') - newpath = '' - for part in path.split('/'): - if not part: - # Strip empty path components. - continue - drive, part = os.path.splitdrive(part) - head, part = os.path.split(part) - if part in (os.curdir, os.pardir): - # Strip '.' and '..' in path. - continue - newpath = os.path.join(newpath, part).replace('\\', '/') - if newpath and path != newpath: - return HttpResponseRedirect(newpath) - fullpath = os.path.join(document_root, newpath) + path = posixpath.normpath(unquote(path)).lstrip('/') + fullpath = safe_join(document_root, path) if os.path.isdir(fullpath): if show_indexes: - return directory_index(newpath, fullpath) + return directory_index(path, fullpath) raise Http404(_("Directory indexes are not allowed here.")) if not os.path.exists(fullpath): raise Http404(_('"%(path)s" does not exist') % {'path': fullpath}) debian/patches/CVE-2016-9014.patch0000644000000000000000000000725613010654260013243 0ustar Backport of: commit c401ae9a7dfb1a94a8a61927ed541d6f93089587 Author: Tim Graham Date: Mon Oct 17 12:14:49 2016 -0400 [1.8.x] Fixed CVE-2016-9014 -- Validated Host header when DEBUG=True. This is a security fix. Index: python-django-1.6.11/django/http/request.py =================================================================== --- python-django-1.6.11.orig/django/http/request.py 2016-11-09 12:11:06.348450845 -0500 +++ python-django-1.6.11/django/http/request.py 2016-11-09 12:11:06.340450845 -0500 @@ -64,7 +64,11 @@ if server_port != ('443' if self.is_secure() else '80'): host = '%s:%s' % (host, server_port) - allowed_hosts = ['*'] if settings.DEBUG else settings.ALLOWED_HOSTS + # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True. + allowed_hosts = settings.ALLOWED_HOSTS + if settings.DEBUG and not allowed_hosts: + allowed_hosts = ['localhost', '127.0.0.1', '[::1]'] + domain, port = split_domain_port(host) if domain and validate_host(domain, allowed_hosts): return host Index: python-django-1.6.11/docs/ref/settings.txt =================================================================== --- python-django-1.6.11.orig/docs/ref/settings.txt 2016-11-09 12:11:06.348450845 -0500 +++ python-django-1.6.11/docs/ref/settings.txt 2016-11-09 12:11:06.340450845 -0500 @@ -99,14 +99,18 @@ list, the :meth:`django.http.HttpRequest.get_host()` method will raise :exc:`~django.core.exceptions.SuspiciousOperation`. -When :setting:`DEBUG` is ``True`` or when running tests, host validation is -disabled; any host will be accepted. Thus it's usually only necessary to set it -in production. +When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host +is validated against ``['localhost', '127.0.0.1', '[::1]']``. This validation only applies via :meth:`~django.http.HttpRequest.get_host()`; if your code accesses the ``Host`` header directly from ``request.META`` you are bypassing this security protection. +.. versionchanged:: 1.8.16 + + In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``, but + it's now checked to prevent a DNS rebinding attack. + .. setting:: ALLOWED_INCLUDE_ROOTS ALLOWED_INCLUDE_ROOTS Index: python-django-1.6.11/tests/requests/tests.py =================================================================== --- python-django-1.6.11.orig/tests/requests/tests.py 2016-11-09 12:11:06.348450845 -0500 +++ python-django-1.6.11/tests/requests/tests.py 2016-11-09 12:11:06.340450845 -0500 @@ -276,14 +276,22 @@ @override_settings(DEBUG=True, ALLOWED_HOSTS=[]) - def test_host_validation_disabled_in_debug_mode(self): - """If ALLOWED_HOSTS is empty and DEBUG is True, all hosts pass.""" - request = HttpRequest() - request.META = { - 'HTTP_HOST': 'example.com', - } - self.assertEqual(request.get_host(), 'example.com') + def test_host_validation_in_debug_mode(self): + """ + If ALLOWED_HOSTS is empty and DEBUG is True, variants of localhost are + allowed. + """ + valid_hosts = ['localhost', '127.0.0.1', '[::1]'] + for host in valid_hosts: + request = HttpRequest() + request.META = {'HTTP_HOST': host} + self.assertEqual(request.get_host(), host) + # Other hostnames raise a SuspiciousOperation. + with self.assertRaises(SuspiciousOperation): + request = HttpRequest() + request.META = {'HTTP_HOST': 'example.com'} + request.get_host() @override_settings(ALLOWED_HOSTS=[]) def test_get_host_suggestion_of_allowed_host(self): debian/patches/99_fix_multipart_base64_decoding_large_files.patch0000644000000000000000000000720013010653625022402 0ustar Description: Fix multiple base64 file decoding of large files This insures the actual base64 content has a length a multiple of 4. Also added a test case for the failure. Forwarded: not-needed Origin: upstream, https://code.djangoproject.com/ticket/23397 Bug-Ubuntu: https://bugs.launchpad.net/maas/+bug/1363348 Author: Jason Hobbs Index: python-django-1.6.1/django/http/multipartparser.py =================================================================== --- python-django-1.6.1.orig/django/http/multipartparser.py 2014-09-18 17:48:27.072118377 -0500 +++ python-django-1.6.1/django/http/multipartparser.py 2014-09-18 17:48:27.068118377 -0500 @@ -201,14 +201,19 @@ for chunk in field_stream: if transfer_encoding == 'base64': # We only special-case base64 transfer encoding - # We should always read base64 streams by multiple of 4 - over_bytes = len(chunk) % 4 - if over_bytes: - over_chunk = field_stream.read(4 - over_bytes) - chunk += over_chunk + # We should always decode base64 chunks by multiple of 4, + # ignoring whitespace. + + stripped_chunk = b"".join(chunk.split()) + + remaining = len(stripped_chunk) % 4 + while remaining != 0: + over_chunk = field_stream.read(4 - remaining) + stripped_chunk += b"".join(over_chunk.split()) + remaining = len(stripped_chunk) % 4 try: - chunk = base64.b64decode(chunk) + chunk = base64.b64decode(stripped_chunk) except Exception as e: # Since this is only a chunk, any error is an unfixable error. msg = "Could not decode base64 data: %r" % e Index: python-django-1.6.1/tests/file_uploads/tests.py =================================================================== --- python-django-1.6.1.orig/tests/file_uploads/tests.py 2014-09-18 17:48:27.072118377 -0500 +++ python-django-1.6.1/tests/file_uploads/tests.py 2014-09-18 17:48:27.068118377 -0500 @@ -74,14 +74,14 @@ self.assertEqual(response.status_code, 200) - def _test_base64_upload(self, content): + def _test_base64_upload(self, content, encode=base64.b64encode): payload = client.FakePayload("\r\n".join([ '--' + client.BOUNDARY, 'Content-Disposition: form-data; name="file"; filename="test.txt"', 'Content-Type: application/octet-stream', 'Content-Transfer-Encoding: base64', '',])) - payload.write(b"\r\n" + base64.b64encode(force_bytes(content)) + b"\r\n") + payload.write(b"\r\n" + encode(force_bytes(content)) + b"\r\n") payload.write('--' + client.BOUNDARY + '--\r\n') r = { 'CONTENT_LENGTH': len(payload), @@ -101,6 +101,10 @@ def test_big_base64_upload(self): self._test_base64_upload("Big data" * 68000) # > 512Kb + def test_big_base64_newlines_upload(self): + self._test_base64_upload( + "Big data" * 68000, encode=base64.encodestring) + def test_unicode_file_name(self): tdir = sys_tempfile.mkdtemp() self.addCleanup(shutil.rmtree, tdir, True) debian/patches/02_disable-sources-in-sphinxdoc.diff0000644000000000000000000000160613010653702017435 0ustar Description: Disable creation of _sources directory by Sphinx We do this to save some space as the sources of the documentation are not really useful in a binary package. . This is a Debian specific patch. Forwarded: not-needed Author: Raphaël Hertzog Origin: vendor Index: python-django-1.6.11/docs/conf.py =================================================================== --- python-django-1.6.11.orig/docs/conf.py 2016-11-09 12:06:52.320439986 -0500 +++ python-django-1.6.11/docs/conf.py 2016-11-09 12:06:52.316439985 -0500 @@ -190,7 +190,10 @@ #html_split_index = False # If true, links to the reST sources are added to the pages. -#html_show_sourcelink = True +html_show_sourcelink = False + +# Do not ship a copy of the sources +html_copy_source = False # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. #html_show_sphinx = True debian/patches/CVE-2018-7537.patch0000644000000000000000000000326013247253311013250 0ustar Backport of: commit edc4f7a1c38f56527d26204df9d06cad2d9d5a34 Author: Tim Graham Date: Sat Feb 24 16:22:43 2018 -0500 [1.8.x] Fixed CVE-2018-7537 -- Fixed catastrophic backtracking in django.utils.text.Truncator. Thanks James Davis for suggesting the fix. Index: python-django-1.6.11/django/utils/text.py =================================================================== --- python-django-1.6.11.orig/django/utils/text.py 2018-03-05 15:36:57.197004857 +0100 +++ python-django-1.6.11/django/utils/text.py 2018-03-05 15:37:30.764556415 +0100 @@ -23,7 +23,7 @@ capfirst = allow_lazy(capfirst, six.text # Set up regular expressions re_words = re.compile(r'&.*?;|<.*?>|(\w[\w-]*)', re.U|re.S) -re_tag = re.compile(r'<(/)?([^ ]+?)(?:(\s*/)| .*?)?>', re.S) +re_tag = re.compile(r'<(/)?(\S+?)(?:(\s*/)|\s.*?)?>', re.S) def wrap(text, width): Index: python-django-1.6.11/tests/utils_tests/test_text.py =================================================================== --- python-django-1.6.11.orig/tests/utils_tests/test_text.py 2018-03-05 15:36:57.197004857 +0100 +++ python-django-1.6.11/tests/utils_tests/test_text.py 2018-03-05 15:36:57.197004857 +0100 @@ -82,6 +82,10 @@ class TestUtilsText(SimpleTestCase): self.assertEqual('
The
quick brown...', truncator.words(3, '...', html=True )) + re_tag_catastrophic_test = ('' + truncator = text.Truncator(re_tag_catastrophic_test) + self.assertEqual(re_tag_catastrophic_test, truncator.words(500, html=True)) + def test_wrap(self): digits = '1234 67 9' self.assertEqual(text.wrap(digits, 100), '1234 67 9') debian/patches/CVE-2017-7233.patch0000644000000000000000000001230613066716130013243 0ustar Backport of: commit 01a6246a8c15f623771e0caa9f941fe4461f19d3 Author: Tim Graham Date: Tue Mar 14 10:46:53 2017 -0400 [1.8.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs. This is a security fix. Index: python-django-1.6.11/django/utils/http.py =================================================================== --- python-django-1.6.11.orig/django/utils/http.py 2017-03-29 07:34:41.852192521 -0400 +++ python-django-1.6.11/django/utils/http.py 2017-03-29 07:35:58.449089395 -0400 @@ -17,6 +17,18 @@ quote, quote_plus, unquote, unquote_plus, urlparse, urlencode as original_urlencode) +if six.PY2: + from urlparse import ( + ParseResult, SplitResult, _splitnetloc, _splitparams, scheme_chars, + uses_params, + ) + _coerce_args = None +else: + from urllib.parse import ( + ParseResult, SplitResult, _coerce_args, _splitnetloc, _splitparams, + scheme_chars, uses_params, + ) + ETAG_MATCH = re.compile(r'(?:W/)?"((?:\\.|[^"])*)"') MONTHS = 'jan feb mar apr may jun jul aug sep oct nov dec'.split() @@ -267,13 +279,64 @@ # basic auth credentials so we need to check both URLs. return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) +# Copied from urllib.parse.urlparse() but uses fixed urlsplit() function. +def _urlparse(url, scheme='', allow_fragments=True): + """Parse a URL into 6 components: + :///;?# + Return a 6-tuple: (scheme, netloc, path, params, query, fragment). + Note that we don't break the components up in smaller bits + (e.g. netloc is a single string) and we don't expand % escapes.""" + if _coerce_args: + url, scheme, _coerce_result = _coerce_args(url, scheme) + splitresult = _urlsplit(url, scheme, allow_fragments) + scheme, netloc, url, query, fragment = splitresult + if scheme in uses_params and ';' in url: + url, params = _splitparams(url) + else: + params = '' + result = ParseResult(scheme, netloc, url, params, query, fragment) + return _coerce_result(result) if _coerce_args else result + + +# Copied from urllib.parse.urlsplit() with +# https://github.com/python/cpython/pull/661 applied. +def _urlsplit(url, scheme='', allow_fragments=True): + """Parse a URL into 5 components: + :///?# + Return a 5-tuple: (scheme, netloc, path, query, fragment). + Note that we don't break the components up in smaller bits + (e.g. netloc is a single string) and we don't expand % escapes.""" + if _coerce_args: + url, scheme, _coerce_result = _coerce_args(url, scheme) + allow_fragments = bool(allow_fragments) + netloc = query = fragment = '' + i = url.find(':') + if i > 0: + for c in url[:i]: + if c not in scheme_chars: + break + else: + scheme, url = url[:i].lower(), url[i + 1:] + + if url[:2] == '//': + netloc, url = _splitnetloc(url, 2) + if (('[' in netloc and ']' not in netloc) or + (']' in netloc and '[' not in netloc)): + raise ValueError("Invalid IPv6 URL") + if allow_fragments and '#' in url: + url, fragment = url.split('#', 1) + if '?' in url: + url, query = url.split('?', 1) + v = SplitResult(scheme, netloc, url, query, fragment) + return _coerce_result(v) if _coerce_args else v + def _is_safe_url(url, host): # Chrome considers any URL with more than two slashes to be absolute, but # urlaprse is not so flexible. Treat any url with three slashes as unsafe. if url.startswith('///'): return False - url_info = urlparse(url) + url_info = _urlparse(url) # Forbid URLs like http:///example.com - with a scheme, but without a hostname. # In that URL, example.com is not the hostname but, a path component. However, # Chrome will still consider example.com to be the hostname, so we must not Index: python-django-1.6.11/tests/utils_tests/test_http.py =================================================================== --- python-django-1.6.11.orig/tests/utils_tests/test_http.py 2017-03-29 07:34:41.852192521 -0400 +++ python-django-1.6.11/tests/utils_tests/test_http.py 2017-03-29 07:34:41.824192193 -0400 @@ -121,6 +121,8 @@ r'http://testserver\me:pass@example.com', r'http://testserver\@example.com', r'http:\\testserver\confirm\me@example.com', + 'http:999999999', + 'ftp:9999999999', '\n'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', @@ -131,7 +133,8 @@ 'HTTPS://testserver/', '//testserver/', 'http://testserver/confirm?email=me@example.com', - '/url%20with%20spaces/'): + '/url%20with%20spaces/', + 'path/http:2222222222'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) if six.PY2: debian/patches/03_manpage.diff0000644000000000000000000000136213010653625013364 0ustar Description: Update manual page to refer to django-admin instead of django-admin.py Update the manual page to speak of django-admin instead of django-admin.py as that's the name used by the Debian package. . This is a Debian specific patch. Forwarded: not-needed Author: Brett Parker Origin: vendor --- a/docs/man/django-admin.1 +++ b/docs/man/django-admin.1 @@ -1,8 +1,8 @@ -.TH "django-admin.py" "1" "March 2008" "Django Project" "" +.TH "django-admin" "1" "March 2008" "Django Project" "" .SH "NAME" -django\-admin.py \- Utility script for the Django Web framework +django\-admin \- Utility script for the Django Web framework .SH "SYNOPSIS" -.B django\-admin.py +.B django\-admin .I .B [options] .sp debian/patches/CVE-2016-2512.patch0000644000000000000000000000614013010653625013232 0ustar Backport of: commit 5989b0cfaf2874eef58f062f2526710615553ba8 Author: Mark Striemer Date: Mon Feb 22 16:55:51 2016 -0500 [1.8.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth. This is a security fix. Index: python-django-1.6.1/django/utils/http.py =================================================================== --- python-django-1.6.1.orig/django/utils/http.py 2016-02-25 14:38:50.794629049 -0500 +++ python-django-1.6.1/django/utils/http.py 2016-02-25 14:38:50.786628974 -0500 @@ -258,8 +258,12 @@ url = url.strip() if not url: return False - # Chrome treats \ completely as / - url = url.replace('\\', '/') + # Chrome treats \ completely as / in paths but it could be part of some + # basic auth credentials so we need to check both URLs. + return _is_safe_url(url, host) and _is_safe_url(url.replace('\\', '/'), host) + + +def _is_safe_url(url, host): # Chrome considers any URL with more than two slashes to be absolute, but # urlaprse is not so flexible. Treat any url with three slashes as unsafe. if url.startswith('///'): Index: python-django-1.6.1/tests/utils_tests/test_http.py =================================================================== --- python-django-1.6.1.orig/tests/utils_tests/test_http.py 2016-02-25 14:38:50.794629049 -0500 +++ python-django-1.6.1/tests/utils_tests/test_http.py 2016-02-25 14:38:50.790629012 -0500 @@ -1,4 +1,7 @@ +from __future__ import unicode_literals + from datetime import datetime + import sys from django.http import HttpResponse, utils @@ -112,6 +115,11 @@ 'javascript:alert("XSS")', '\njavascript:alert(x)', '\x08//example.com', + r'http://otherserver\@example.com', + r'http:\\testserver\@example.com', + r'http://testserver\me:pass@example.com', + r'http://testserver\@example.com', + r'http:\\testserver\confirm\me@example.com', '\n'): self.assertFalse(http.is_safe_url(bad_url, host='testserver'), "%s should be blocked" % bad_url) for good_url in ('/view/?param=http://example.com', @@ -121,8 +129,15 @@ 'https://testserver/', 'HTTPS://testserver/', '//testserver/', + 'http://testserver/confirm?email=me@example.com', '/url%20with%20spaces/'): self.assertTrue(http.is_safe_url(good_url, host='testserver'), "%s should be allowed" % good_url) + # Valid basic auth credentials are allowed. + self.assertTrue(http.is_safe_url(r'http://user:pass@testserver/', host='user:pass@testserver')) + # A path without host is allowed. + self.assertTrue(http.is_safe_url('/confirm/me@example.com')) + # Basic auth without host is not allowed. + self.assertFalse(http.is_safe_url(r'http://testserver\@example.com')) class ETagProcessingTests(unittest.TestCase): def testParsing(self): debian/patches/CVE-2016-9013.patch0000644000000000000000000000436013010654246013237 0ustar Backport of: commit 70f99952965a430daf69eeb9947079aae535d2d0 Author: Marti Raudsepp Date: Mon Oct 24 15:22:00 2016 -0400 [1.8.x] Fixed CVE-2016-9013 -- Generated a random database user password when running tests on Oracle. This is a security fix. Index: python-django-1.6.11/django/db/backends/oracle/creation.py =================================================================== --- python-django-1.6.11.orig/django/db/backends/oracle/creation.py 2016-11-09 12:10:59.220450540 -0500 +++ python-django-1.6.11/django/db/backends/oracle/creation.py 2016-11-09 12:10:59.216450540 -0500 @@ -4,9 +4,9 @@ from django.conf import settings from django.db.backends.creation import BaseDatabaseCreation from django.utils.six.moves import input +from django.utils.crypto import get_random_string TEST_DATABASE_PREFIX = 'test_' -PASSWORD = 'Im_a_lumberjack' class DatabaseCreation(BaseDatabaseCreation): # This dictionary maps Field objects to their associated Oracle column @@ -232,12 +232,15 @@ return name def _test_database_passwd(self): - name = PASSWORD + name = None try: if self.connection.settings_dict['TEST_PASSWD']: name = self.connection.settings_dict['TEST_PASSWD'] except KeyError: pass + if name is None and self._test_user_create(): + # Oracle passwords are limited to 30 chars and can't contain symbols. + name = get_random_string(length=30) return name def _test_database_tblspace(self): Index: python-django-1.6.11/docs/ref/settings.txt =================================================================== --- python-django-1.6.11.orig/docs/ref/settings.txt 2016-11-09 12:10:59.220450540 -0500 +++ python-django-1.6.11/docs/ref/settings.txt 2016-11-09 12:10:59.216450540 -0500 @@ -702,7 +702,11 @@ This is an Oracle-specific setting. The password to use when connecting to the Oracle database that will be used -when running tests. If not provided, Django will use a hardcoded default value. +when running tests. If not provided, Django will generate a random password. + +.. versionchanged:: 1.8.16 + + Older versions used a hardcoded default password. .. setting:: TEST_TBLSPACE debian/patches/file-encoding.diff0000644000000000000000000000071013010654071014145 0ustar Index: python-django-1.6.11/tests/utils_tests/test_jslex.py =================================================================== --- python-django-1.6.11.orig/tests/utils_tests/test_jslex.py 2016-10-10 22:01:39.985352894 -0400 +++ python-django-1.6.11/tests/utils_tests/test_jslex.py 2016-10-10 22:03:01.349354527 -0400 @@ -1,4 +1,4 @@ -# encoding: utf-8 +# -*- coding: utf-8 -*- """Tests for jslex.""" # originally from https://bitbucket.org/ned/jslex debian/patches/CVE-2016-2513.patch0000644000000000000000000002714213010653625013240 0ustar Backport of: commit 26a7b7b87fac285e2e921dfe8a219d594c82b899 Author: Florian Apolloner Date: Sat Feb 13 21:09:46 2016 +0100 [1.8.x] Fixed CVE-2016-2513 -- Fixed user enumeration timing attack during login. This is a security fix. Index: python-django-1.6.1/django/contrib/auth/hashers.py =================================================================== --- python-django-1.6.1.orig/django/contrib/auth/hashers.py 2016-02-26 07:46:44.900239803 -0500 +++ python-django-1.6.1/django/contrib/auth/hashers.py 2016-02-26 07:46:44.896239771 -0500 @@ -3,6 +3,7 @@ import base64 import binascii import hashlib +import warnings from django.dispatch import receiver from django.conf import settings @@ -55,10 +56,17 @@ preferred = get_hasher(preferred) hasher = identify_hasher(encoded) - must_update = hasher.algorithm != preferred.algorithm - if not must_update: - must_update = preferred.must_update(encoded) + hasher_changed = hasher.algorithm != preferred.algorithm + must_update = hasher_changed or preferred.must_update(encoded) is_correct = hasher.verify(password, encoded) + + # If the hasher didn't change (we don't protect against enumeration if it + # does) and the password should get updated, try to close the timing gap + # between the work factor of the current encoded password and the default + # work factor. + if not is_correct and not hasher_changed and must_update: + hasher.harden_runtime(password, encoded) + if setter and is_correct and must_update: setter(password) return is_correct @@ -217,6 +225,19 @@ def must_update(self, encoded): return False + def harden_runtime(self, password, encoded): + """ + Bridge the runtime gap between the work factor supplied in `encoded` + and the work factor suggested by this hasher. + + Taking PBKDF2 as an example, if `encoded` contains 20000 iterations and + `self.iterations` is 30000, this method should run password through + another 10000 iterations of PBKDF2. Similar approaches should exist + for any hasher that has a work factor. If not, this method should be + defined as a no-op to silence the warning. + """ + warnings.warn('subclasses of BasePasswordHasher should provide a harden_runtime() method') + class PBKDF2PasswordHasher(BasePasswordHasher): """ @@ -259,6 +280,12 @@ algorithm, iterations, salt, hash = encoded.split('$', 3) return int(iterations) != self.iterations + def harden_runtime(self, password, encoded): + algorithm, iterations, salt, hash = encoded.split('$', 3) + extra_iterations = self.iterations - int(iterations) + if extra_iterations > 0: + self.encode(password, salt, extra_iterations) + class PBKDF2SHA1PasswordHasher(PBKDF2PasswordHasher): """ @@ -309,23 +336,8 @@ def verify(self, password, encoded): algorithm, data = encoded.split('$', 1) assert algorithm == self.algorithm - bcrypt = self._load_library() - - # Hash the password prior to using bcrypt to prevent password truncation - # See: https://code.djangoproject.com/ticket/20138 - if self.digest is not None: - # We use binascii.hexlify here because Python3 decided that a hex encoded - # bytestring is somehow a unicode. - password = binascii.hexlify(self.digest(force_bytes(password)).digest()) - else: - password = force_bytes(password) - - # Ensure that our data is a bytestring - data = force_bytes(data) - # force_bytes() necessary for py-bcrypt compatibility - hashpw = force_bytes(bcrypt.hashpw(password, data)) - - return constant_time_compare(data, hashpw) + encoded_2 = self.encode(password, force_bytes(data)) + return constant_time_compare(encoded, encoded_2) def safe_summary(self, encoded): algorithm, empty, algostr, work_factor, data = encoded.split('$', 4) @@ -338,6 +350,16 @@ (_('checksum'), mask_hash(checksum)), ]) + def harden_runtime(self, password, encoded): + _, data = encoded.split('$', 1) + salt = data[:29] # Length of the salt in bcrypt. + rounds = data.split('$')[2] + # work factor is logarithmic, adding one doubles the load. + diff = 2**(self.rounds - int(rounds)) - 1 + while diff > 0: + self.encode(password, force_bytes(salt)) + diff -= 1 + class BCryptPasswordHasher(BCryptSHA256PasswordHasher): """ @@ -385,6 +407,9 @@ (_('hash'), mask_hash(hash)), ]) + def harden_runtime(self, password, encoded): + pass + class MD5PasswordHasher(BasePasswordHasher): """ @@ -413,6 +438,9 @@ (_('hash'), mask_hash(hash)), ]) + def harden_runtime(self, password, encoded): + pass + class UnsaltedSHA1PasswordHasher(BasePasswordHasher): """ @@ -445,6 +473,9 @@ (_('hash'), mask_hash(hash)), ]) + def harden_runtime(self, password, encoded): + pass + class UnsaltedMD5PasswordHasher(BasePasswordHasher): """ @@ -478,6 +509,9 @@ (_('hash'), mask_hash(encoded, show=3)), ]) + def harden_runtime(self, password, encoded): + pass + class CryptPasswordHasher(BasePasswordHasher): """ @@ -513,3 +547,5 @@ (_('hash'), mask_hash(data, show=3)), ]) + def harden_runtime(self, password, encoded): + pass Index: python-django-1.6.1/docs/topics/auth/passwords.txt =================================================================== --- python-django-1.6.1.orig/docs/topics/auth/passwords.txt 2016-02-26 07:46:44.900239803 -0500 +++ python-django-1.6.1/docs/topics/auth/passwords.txt 2016-02-26 07:46:44.900239803 -0500 @@ -189,12 +189,41 @@ Passwords will be upgraded when changing the PBKDF2 iteration count. +Be aware that if all the passwords in your database aren't encoded in the +default hasher's algorithm, you may be vulnerable to a user enumeration timing +attack due to a difference between the duration of a login request for a user +with a password encoded in a non-default algorithm and the duration of a login +request for a nonexistent user (which runs the default hasher). You may be able +to mitigate this by upgrading older password hashes. + .. _sha1: http://en.wikipedia.org/wiki/SHA1 .. _pbkdf2: http://en.wikipedia.org/wiki/PBKDF2 .. _nist: http://csrc.nist.gov/publications/nistpubs/800-132/nist-sp800-132.pdf .. _bcrypt: http://en.wikipedia.org/wiki/Bcrypt .. _`bcrypt library`: https://pypi.python.org/pypi/bcrypt/ +.. _write-your-own-password-hasher: + +Writing your own hasher +----------------------- + +.. versionadded:: 1.8.10 + +If you write your own password hasher that contains a work factor such as a +number of iterations, you should implement a +``harden_runtime(self, password, encoded)`` method to bridge the runtime gap +between the work factor supplied in the ``encoded`` password and the default +work factor of the hasher. This prevents a user enumeration timing attack due +to difference between a login request for a user with a password encoded in an +older number of iterations and a nonexistent user (which runs the default +hasher's default number of iterations). + +Taking PBKDF2 as example, if ``encoded`` contains 20,000 iterations and the +hasher's default ``iterations`` is 30,000, the method should run ``password`` +through another 10,000 iterations of PBKDF2. + +If your hasher doesn't have a work factor, implement the method as a no-op +(``pass``). Manually managing a user's password =================================== Index: python-django-1.6.1/django/contrib/auth/tests/test_hashers.py =================================================================== --- python-django-1.6.1.orig/django/contrib/auth/tests/test_hashers.py 2016-02-26 07:46:44.900239803 -0500 +++ python-django-1.6.1/django/contrib/auth/tests/test_hashers.py 2016-02-26 07:46:44.900239803 -0500 @@ -9,7 +9,12 @@ from django.utils import six from django.utils import unittest from django.utils.unittest import skipUnless - +from django.utils.encoding import force_bytes + +try: + from unittest import mock +except ImportError: + import mock try: import crypt @@ -176,6 +181,28 @@ self.assertTrue(check_password('', blank_encoded)) self.assertFalse(check_password(' ', blank_encoded)) + @skipUnless(bcrypt, "bcrypt not installed") + def test_bcrypt_harden_runtime(self): + hasher = get_hasher('bcrypt') + self.assertEqual('bcrypt', hasher.algorithm) + + with mock.patch.object(hasher, 'rounds', 4): + encoded = make_password('letmein', hasher='bcrypt') + + with mock.patch.object(hasher, 'rounds', 6), \ + mock.patch.object(hasher, 'encode', side_effect=hasher.encode): + hasher.harden_runtime('wrong_password', encoded) + + # Increasing rounds from 4 to 6 means an increase of 4 in workload, + # therefore hardening should run 3 times to make the timing the + # same (the original encode() call already ran once). + self.assertEqual(hasher.encode.call_count, 3) + + # Get the original salt (includes the original workload factor) + algorithm, data = encoded.split('$', 1) + expected_call = (('wrong_password', force_bytes(data[:29])),) + self.assertEqual(hasher.encode.call_args_list, [expected_call] * 3) + def test_unusable(self): encoded = make_password(None) self.assertEqual(len(encoded), len(UNUSABLE_PASSWORD_PREFIX) + UNUSABLE_PASSWORD_SUFFIX_LENGTH) @@ -279,6 +306,25 @@ finally: hasher.iterations = old_iterations + def test_pbkdf2_harden_runtime(self): + hasher = get_hasher('default') + self.assertEqual('pbkdf2_sha256', hasher.algorithm) + + with mock.patch.object(hasher, 'iterations', 1): + encoded = make_password('letmein') + + with mock.patch.object(hasher, 'iterations', 6), \ + mock.patch.object(hasher, 'encode', side_effect=hasher.encode): + hasher.harden_runtime('wrong_password', encoded) + + # Encode should get called once ... + self.assertEqual(hasher.encode.call_count, 1) + + # ... with the original salt and 5 iterations. + algorithm, iterations, salt, hash = encoded.split('$', 3) + expected_call = (('wrong_password', salt, 5),) + self.assertEqual(hasher.encode.call_args, expected_call) + def test_pbkdf2_upgrade_new_hasher(self): self.assertEqual('pbkdf2_sha256', get_hasher('default').algorithm) hasher = get_hasher('default') @@ -307,6 +353,20 @@ self.assertTrue(check_password('letmein', encoded, setter)) self.assertTrue(state['upgraded']) + def test_check_password_calls_harden_runtime(self): + hasher = get_hasher('default') + encoded = make_password('letmein') + + with mock.patch.object(hasher, 'harden_runtime'), \ + mock.patch.object(hasher, 'must_update', return_value=True): + # Correct password supplied, no hardening needed + check_password('letmein', encoded) + self.assertEqual(hasher.harden_runtime.call_count, 0) + + # Wrong password supplied, hardening needed + check_password('wrong_password', encoded) + self.assertEqual(hasher.harden_runtime.call_count, 1) + def test_load_library_no_algorithm(self): with self.assertRaises(ValueError) as e: BasePasswordHasher()._load_library() debian/patches/CVE-2015-8213.patch0000644000000000000000000000375213010654227013242 0ustar commit 8a01c6b53169ee079cb21ac5919fdafcc8c5e172 Author: Florian Apolloner Date: Wed Nov 11 20:10:55 2015 +0100 [1.7.x] Fixed a settings leak possibility in the date template filter. This is a security fix. Index: python-django-1.6.11/django/utils/formats.py =================================================================== --- python-django-1.6.11.orig/django/utils/formats.py 2016-11-09 12:10:42.412449822 -0500 +++ python-django-1.6.11/django/utils/formats.py 2016-11-09 12:10:42.392449821 -0500 @@ -28,6 +28,24 @@ ), } +FORMAT_SETTINGS = frozenset([ + 'DECIMAL_SEPARATOR', + 'THOUSAND_SEPARATOR', + 'NUMBER_GROUPING', + 'FIRST_DAY_OF_WEEK', + 'MONTH_DAY_FORMAT', + 'TIME_FORMAT', + 'DATE_FORMAT', + 'DATETIME_FORMAT', + 'SHORT_DATE_FORMAT', + 'SHORT_DATETIME_FORMAT', + 'YEAR_MONTH_FORMAT', + 'DATE_INPUT_FORMATS', + 'TIME_INPUT_FORMATS', + 'DATETIME_INPUT_FORMATS', +]) + + def reset_format_cache(): """Clear any cached formats. @@ -79,6 +97,8 @@ be localized (or not), overriding the value of settings.USE_L10N. """ format_type = force_str(format_type) + if format_type not in FORMAT_SETTINGS: + return format_type if use_l10n or (use_l10n is None and settings.USE_L10N): if lang is None: lang = get_language() Index: python-django-1.6.11/tests/i18n/tests.py =================================================================== --- python-django-1.6.11.orig/tests/i18n/tests.py 2016-11-09 12:10:42.412449822 -0500 +++ python-django-1.6.11/tests/i18n/tests.py 2016-11-09 12:10:42.396449821 -0500 @@ -817,6 +817,9 @@ '; ' ) + def test_format_arbitrary_settings(self): + self.assertEqual(get_format('DEBUG'), 'DEBUG') + class MiscTests(TransRealMixin, TestCase): debian/patches/CVE-2015-5144.patch0000644000000000000000000001445113010654165013241 0ustar Backport of: commit 6e4164b083adb5c974c7ded0f3aeae5188e52b5a Author: Tim Graham Date: Fri Jun 12 13:49:31 2015 -0400 [1.7.x] Prevented newlines from being accepted in some validators. This is a security fix; disclosure to follow shortly. Thanks to Sjoerd Job Postmus for the report and draft patch. Index: python-django-1.6.11/django/core/validators.py =================================================================== --- python-django-1.6.11.orig/django/core/validators.py 2016-10-11 00:32:53.741535072 -0400 +++ python-django-1.6.11/django/core/validators.py 2016-10-11 00:35:35.349538316 -0400 @@ -47,7 +47,7 @@ r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4 r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6 r'(?::\d+)?' # optional port - r'(?:/?|[/?]\S+)$', re.IGNORECASE) + r'(?:/?|[/?]\S+)\Z', re.IGNORECASE) message = _('Enter a valid URL.') def __call__(self, value): @@ -69,25 +69,28 @@ else: url = value +integer_validator = RegexValidator( + re.compile('^-?\d+\Z'), + message=_('Enter a valid integer.'), + code='invalid', +) + def validate_integer(value): - try: - int(value) - except (ValueError, TypeError): - raise ValidationError(_('Enter a valid integer.'), code='invalid') + return integer_validator(value) class EmailValidator(object): message = _('Enter a valid email address.') code = 'invalid' user_regex = re.compile( - r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*$" # dot-atom - r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-\011\013\014\016-\177])*"$)', # quoted-string + r"(^[-!#$%&'*+/=?^_`{}|~0-9A-Z]+(\.[-!#$%&'*+/=?^_`{}|~0-9A-Z]+)*\Z" # dot-atom + r'|^"([\001-\010\013\014\016-\037!#-\[\]-\177]|\\[\001-\011\013\014\016-\177])*"\Z)', # quoted-string re.IGNORECASE) domain_regex = re.compile( - r'(?:[A-Z0-9](?:[A-Z0-9-]{0,61}[A-Z0-9])?\.)+(?:[A-Z]{2,6}|[A-Z0-9-]{2,}(? --- a/django/contrib/gis/geoip/base.py +++ b/django/contrib/gis/geoip/base.py @@ -64,7 +64,8 @@ * path: Base directory to where GeoIP data is located or the full path to where the city or country data files (*.dat) are located. Assumes that both the city and country data sets are located in - this directory; overrides the GEOIP_PATH settings attribute. + this directory. Overrides the GEOIP_PATH settings attribute. + If neither is set, defaults to '/usr/share/GeoIP'. * cache: The cache settings when opening up the GeoIP datasets, and may be an integer in (0, 1, 2, 4, 8) corresponding to @@ -73,11 +74,13 @@ settings, respectively. Defaults to 0, meaning that the data is read from the disk. - * country: The name of the GeoIP country data file. Defaults to - 'GeoIP.dat'; overrides the GEOIP_COUNTRY settings attribute. - - * city: The name of the GeoIP city data file. Defaults to - 'GeoLiteCity.dat'; overrides the GEOIP_CITY settings attribute. + * country: The name of the GeoIP country data file. Overrides + the GEOIP_COUNTRY settings attribute. If neither is set, + defaults to 'GeoIP.dat' + + * city: The name of the GeoIP city data file. Overrides the + GEOIP_CITY settings attribute. If neither is set, defaults + to 'GeoIPCity.dat'. """ # Checking the given cache option. if cache in self.cache_options: @@ -87,8 +90,7 @@ # Getting the GeoIP data path. if not path: - path = GEOIP_SETTINGS.get('GEOIP_PATH', None) - if not path: raise GeoIPException('GeoIP path must be provided via parameter or the GEOIP_PATH setting.') + path = GEOIP_SETTINGS.get('GEOIP_PATH', '/usr/share/GeoIP') if not isinstance(path, six.string_types): raise TypeError('Invalid path type: %s' % type(path).__name__) @@ -101,7 +103,7 @@ self._country = GeoIP_open(force_bytes(country_db), cache) self._country_file = country_db - city_db = os.path.join(path, city or GEOIP_SETTINGS.get('GEOIP_CITY', 'GeoLiteCity.dat')) + city_db = os.path.join(path, city or GEOIP_SETTINGS.get('GEOIP_CITY', 'GeoIPCity.dat')) if os.path.isfile(city_db): self._city = GeoIP_open(force_bytes(city_db), cache) self._city_file = city_db debian/python-django.docs0000644000000000000000000000002313010653601012607 0ustar README.rst AUTHORS debian/contrib/0000755000000000000000000000000013010653601010621 5ustar debian/contrib/default0000644000000000000000000000065713010653601012200 0ustar # django project names/directories DJANGO_SITES="myapp myapp2 myapp3" # path to the directory with your django projects #SITES_PATH=/home/django/projects # path to the directory for socket and pid files RUNFILES_PATH=$SITES_PATH/run # please make sure this is NOT root # local user prefered, www-data accepted RUN_AS=django # maximum requests before fast-cgi process respawns # (a.k.a. get killed and let live) MAXREQUESTS=100 debian/contrib/initscript0000644000000000000000000000635013010653601012740 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: FastCGI servers for Django # Required-Start: networking # Required-Stop: networking # Default-Start: 2 3 4 5 # Default-Stop: S 0 1 6 # Short-Description: Start FastCGI servers with Django. # Description: Django, in order to operate with FastCGI, must be started # in a very specific way with manage.py. This must be done # for each Django web server that has to run. ### END INIT INFO # # Author: Guillermo Fernandez Castellanos # . # # Changed: Jannis Leidel # # Joost Cassee # # # Version: @(#)fastcgi 0.3 05-Aug-2008 joost AT cassee.net # set -e #### CONFIGURATION (override in /etc/default/django) # django project names/directories DJANGO_SITES="" # path to the directory with your django projects SITES_PATH=/var/lib/django # path to the directory for socket and pid files RUNFILES_PATH=/var/run/django # please make sure this is NOT root # local user prefered, www-data accepted RUN_AS=www-data # maximum requests before fast-cgi process respawns # (a.k.a. get killed and let live) MAXREQUESTS=1000 #### END CONFIGURATION # Include defaults if available if [ -f /etc/default/django ] ; then . /etc/default/django fi PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DESC="Django FastCGI servers" NAME=$0 SCRIPTNAME=/etc/init.d/$NAME mkdir -p $RUNFILES_PATH chown -R $RUN_AS:$RUN_AS $RUNFILES_PATH # # Function that starts the daemon/service. # d_start() { # Starting all Django FastCGI processes # PORT=$PORT_START for SITE in $DJANGO_SITES do echo -n ", $SITE" if [ -f $RUNFILES_PATH/$SITE.pid ]; then echo -n " already running" else start-stop-daemon --start --quiet \ --pidfile $RUNFILES_PATH/$SITE.pid \ --chuid $RUN_AS --exec /usr/bin/env -- python \ $SITES_PATH/$SITE/manage.py runfcgi \ protocol=fcgi method=threaded maxrequests=$MAXREQUESTS \ socket=$RUNFILES_PATH/$SITE.socket \ pidfile=$RUNFILES_PATH/$SITE.pid chmod 400 $RUNFILES_PATH/$SITE.pid fi sleep 1 done } # # Function that stops the daemon/service. # d_stop() { # Killing all Django FastCGI processes running for SITE in $DJANGO_SITES do echo -n ", $SITE" start-stop-daemon --stop --quiet --pidfile $RUNFILES_PATH/$SITE.pid \ || echo -n " not running" if [ -f $RUNFILES_PATH/$SITE.pid ]; then rm -f $RUNFILES_PATH/$SITE.pid fi sleep 1 done } ACTION="$1" case "$ACTION" in start) echo -n "Starting $DESC: $NAME" d_start echo "." ;; stop) echo -n "Stopping $DESC: $NAME" d_stop echo "." ;; restart|force-reload) echo -n "Restarting $DESC: $NAME" d_stop sleep 2 d_start echo "." ;; *) echo "Usage: $NAME {start|stop|restart|force-reload}" >&2 exit 3 ;; esac exit 0 debian/python-django.README.Debian0000644000000000000000000001516013010653601014005 0ustar 0.96 -> 1.0 =========== Django 1.0 has a number of backwards-incompatible changes from Django 0.96. If you have apps written against Django 0.96 that you need to port, see the detailed porting guide: /usr/share/doc/python-django/html/releases/1.0-porting-guide.html or http://docs.djangoproject.com/en/dev/releases/1.0-porting-guide/ You can also find a complete list of of backwards incompatible changes here: http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges 0.95 -> 0.96 ============ Information here has been gathered from: http://www.djangoproject.com/documentation/release_notes_0.96/ and http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges Backwards Incompatible Changes ------------------------------ Database constraint names changed ================================= As of [3512], the format of the constraint names Django generates for foreign key references changed slightly. These names are only used sometimes, when it is not possible to put the reference directly on the affected column, so this is not always visible. The effect of this change is that manage.py reset app_name and similar commands may generate SQL with invalid constraint names and thus generate an error when run against the database (the database server will complain about the constraint not existing). To fix this, you will need to tweak the output of manage.py sqlreset app_name to match the correct constraint names and pass the results to the database server manually. Backslash escaping changed ========================== As of [3552], the Django database API now escapes backslashes given as query parameters. If you have any database API code that match backslashes, and it was working before (despite the broken escaping), you'll have to change your code to "unescape" the slashes one level. For example, this used to work: # Code that matches a single backslash MyModel.objects.filter(text__contains='\\\\') But it should be rewritten as this: # Code that matches a single backslash MyModel.objects.filter(text__contains='\\') Removed ENABLE_PSYCO setting ============================ As of [3877], the ENABLE_PSYCO setting no longer exists. If your settings file includes ENABLE_PSYCO, nothing will break per se, but it just won't do anything. If you want to use Psyco with Django, write some custom middleware that activates Psyco. Changed Admin.manager option to more flexible hook ================================================== As of [4342], the manager option to class Admin no longer exists. This option was undocumented, but we're mentioning the change here in case you used it. In favor of this option, class Admin may now define one of these methods: * queryset() * queryset_add() * queryset_change() These give you much more flexibility. Note that this change was made to the NewformsAdminBranch. (We initially called the new method change_list_queryset, but this was changed in [4584] to be more flexible.) The change will not be made to trunk until that branch is merged to trunk. Changed prepopulate_from to be defined in the Admin class, not database field classes ¶ ========================================================== As of [4446], the prepopulate_from option to database fields no longer exists. It's been discontinued in favor of the new prepopulated_fields option on class Admin. The new prepopulated_fields option, if given, should be a dictionary mapping field names to lists/tuples of field names. Here's an example comparing old syntax and new syntax: # OLD: class MyModel(models.Model): first_name = models.CharField(maxlength=30) last_name = models.CharField(maxlength=30) slug = models.CharField(maxlength=60, prepopulate_from=('first_name', 'last_name')) class Admin: pass # NEW: class MyModel(models.Model): first_name = models.CharField(maxlength=30) last_name = models.CharField(maxlength=30) slug = models.CharField(maxlength=60) class Admin: prepopulated_fields = {'slug': ('first_name', 'last_name')} Moved admin doc views into django.contrib.admindocs ==================================================== As of [4585], the documentation views for the Django admin site were moved into a new package, django.contrib.admindocs. The admin docs, which aren't documented very well, were located at docs/ in the admin site. They're also linked-to by the "Documentation" link in the upper right of default admin templates. Because we've moved the doc views, you now have to activate admin docs explicitly. Do this by adding the following line to your URLconf: (r'^admin/doc/', include('django.contrib.admindocs.urls')), Note that this change was made to the NewformsAdminBranch. The change will not be made to trunk until that branch is merged to trunk. Enforcing MySQLdb version ========================= As of [4724], Django will raise an error if you try to use the MySQL backend with a MySQLdb ( MySQL python module) version earlier than 1.2.1p2. There were significant, production-related bugs in earlier versions, so we have upgraded the minimum requirement. In [4767], a mysql_old backend was added, that is identical to the original mysql backend prior to the change in [4724]. This backend can be used if upgrading the MySQLdb module is not immediately possible, however, it is deprecated and no further development will be done on it. New Features ------------ New forms library ================= The new forms library has been merged from the new forms branch in to django.newforms in 0.96, the next revision will replace django.forms with django.newforms, the current forms library is already copied to django.oldforms to make the transition easier - it's advised to either upgrade your forms code to the newforms library or to change your imports as follows: from django import forms becomes from django import oldforms as forms URLconf improvements ==================== It's now possible to use imported views in the urlconf rather than a string representing the view to call. Test framework ============== Now possible to write tests based on doctest and unittest Admin area changes ================== Changes to the user adding and updating views so that you don't need to worry about hashed passwords. debian/compat0000644000000000000000000000000213010653601010357 0ustar 9 debian/copyright0000644000000000000000000003605113010653601011121 0ustar This package was debianized by Brett Parker with the assistance of Raphael Hertzog , Gustavo Noronha Silva , David Spreen and the Debian Python Modules Team . The upstream source is available from . Main Django Code Licence: ========================= Copyright (c) Django Software Foundation and individual contributors. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of Django nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Individual copyright holders stated in Main Django License are listed in /usr/share/doc/python-django/AUTHORS.gz. PyDispatcher Licence (django/dispatch/*): ========================================= Copyright (c) 2001-2003, Patrick K. O'Brien and Contributors All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The name of Patrick K. O'Brien, or the name of any Contributor, may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. License of django/utils/simplejson/* ==================================== Copyright (c) 2006 Bob Ippolito Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. License for django/utils/functional.py and django/utils/_decimal.py (License taken from Python 2.5) ======================================================================= functional.py: Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007 Python Software Foundation decimal.py: Copyright (c) 2004 Python Software Foundation PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2 -------------------------------------------- 1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. 2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006, 2007 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. 3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. 4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. 5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 6. This License Agreement will automatically terminate upon a material breach of its terms and conditions. 7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. 8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. django/utils/autoreload.py =========================== Portions Copyright (c) 2004 CherryPy Team All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the CherryPy Team nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Some code taken from Ian Bicking's Paste which is released under the MIT License: Copyright (c) 2008 Ian Bicking Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. django/contrib/gis/geos/* and django/contrib/gis/gdal/* ======================================================== Copyright (c) 2007, Justin Bronn All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of GEOSGeometry nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. django/contrib/gis/measure.py: =============================== Copyright (c) 2007, Robert Coup All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of Distance nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. docs/_static/reset-fonts-grids.css: ==================================== Copyright (c) 2008, Yahoo! Inc. All rights reserved. Software License Agreement (BSD License), downloaded from on Friday, Aug 29 2008 Copyright (c) 2006, Yahoo! Inc. All rights reserved. Redistribution and use of this software in source and binary forms, with or without modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of Yahoo! Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission of Yahoo! Inc. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/python-django-doc.examples0000644000000000000000000000001313010653601014237 0ustar examples/* debian/python-django.manpages0000644000000000000000000000003013010653601013450 0ustar docs/man/django-admin.1 debian/python-django.examples0000644000000000000000000000002113010653601013473 0ustar debian/contrib/* debian/source/0000755000000000000000000000000013010653601010461 5ustar debian/source/format0000644000000000000000000000001413010653601011667 0ustar 3.0 (quilt) debian/python-django-doc.docs0000644000000000000000000000003013010653601013350 0ustar docs.debian/_build/html debian/changelog0000644000000000000000000012653013415171526011054 0ustar python-django (1.6.11-0ubuntu1.3) trusty-security; urgency=medium * SECURITY UPDATE: content spoofing in the default 404 page - debian/patches/CVE-2019-3498.patch: properly quote string in django/views/defaults.py. - CVE-2019-3498 -- Marc Deslauriers Tue, 08 Jan 2019 14:00:29 -0500 python-django (1.6.11-0ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: DoS in urlize and urlizetrunc template filters - debian/patches/CVE-2018-7536.patch: fix backtracking in django/utils/html.py, add test to tests/utils_tests/test_html.py. - CVE-2018-7536 * SECURITY UPDATE: DoS in truncatechars_html and truncatewords_html template filters - debian/patches/CVE-2018-7537.patch: fix backtracking in django/utils/text.py, add test to tests/utils_tests/test_text.py. - CVE-2018-7537 -- Marc Deslauriers Mon, 05 Mar 2018 15:52:37 +0100 python-django (1.6.11-0ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: Open redirect and possible XSS attack via user-supplied numeric redirect URLs - debian/patches/CVE-2017-7233.patch: fix is_safe_url() with numeric URLs in django/utils/http.py, added tests to tests/utils_tests/test_http.py. - CVE-2017-7233 * SECURITY UPDATE: Open redirect vulnerability in django.views.static.serve() - debian/patches/CVE-2017-7234.patch: remove redirect from django/views/static.py. - CVE-2017-7234 -- Marc Deslauriers Wed, 29 Mar 2017 07:38:12 -0400 python-django (1.6.11-0ubuntu1) trusty; urgency=medium * Update to final upstream 1.6 microrelease (LP: #1644346) * Drop patches included upstream: - debian/patches/07_translation_encoding_fix.diff, ticket21869.diff, CVE-2014-0472.patch, CVE-2014-0473.patch, CVE-2014-0474.patch, CVE-2014-0472-regression.patch, drop_fix_ie_for_vary_1_6.diff, is_safe_url_1_6.diff, CVE-2014-0480.patch, CVE-2014-0481.patch, CVE-2014-0482.patch, CVE-2014-0483.patch, CVE-2014-0483-bug23329.patch, CVE-2014-0483-bug23431.patch, CVE-2015-0219.patch, CVE-2015-0220.patch, CVE-2015-0221.patch, CVE-2015-0222.patch, CVE-2015-2316.patch, and CVE-2015-2317.patch -- Scott Kitterman Wed, 23 Nov 2016 14:41:31 -0500 python-django (1.6.1-2ubuntu0.16) trusty-security; urgency=medium * SECURITY UPDATE: user with hardcoded password created when running tests on Oracle - debian/patches/CVE-2016-9013.patch: remove hardcoded password in django/db/backends/oracle/creation.py, added note to docs/ref/settings.txt. - CVE-2016-9013 * SECURITY UPDATE: DNS rebinding vulnerability when DEBUG=True - debian/patches/CVE-2016-9014.patch: properly check ALLOWED_HOSTS in django/http/request.py, updated docs/ref/settings.txt, added test to tests/requests/tests.py. - CVE-2016-9014 -- Marc Deslauriers Mon, 31 Oct 2016 10:14:20 -0400 python-django (1.6.1-2ubuntu0.15) trusty-security; urgency=medium * SECURITY UPDATE: CSRF protection bypass on a site with Google Analytics - debian/patches/CVE-2016-7401.patch: simplify cookie parsing in django/http/cookie.py, add tests to tests/httpwrappers/tests.py, tests/requests/tests.py. - CVE-2016-7401 -- Marc Deslauriers Mon, 26 Sep 2016 07:36:53 -0400 python-django (1.6.1-2ubuntu0.14) trusty-security; urgency=medium * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - debian/patches/CVE-2016-2512-regression.patch: updated to final upstream fix. - CVE-2016-2512 -- Marc Deslauriers Mon, 07 Mar 2016 08:50:01 -0500 python-django (1.6.1-2ubuntu0.13) trusty-security; urgency=medium * SECURITY REGRESSION: is_safe_url() with non-unicode url (LP: #1553251) - debian/patches/CVE-2016-2512-regression.patch: force url to unicode in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2016-2512 -- Marc Deslauriers Fri, 04 Mar 2016 11:07:40 -0500 python-django (1.6.1-2ubuntu0.12) trusty-security; urgency=medium * SECURITY UPDATE: malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth - debian/patches/CVE-2016-2512.patch: prevent spoofing in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2016-2512 * SECURITY UPDATE: user enumeration through timing difference on password hasher work factor upgrade - debian/patches/CVE-2016-2513.patch: fix timing in django/contrib/auth/hashers.py, added note to docs/topics/auth/passwords.txt, added tests to django/contrib/auth/tests/test_hashers.py. - debian/control: added python-mock to Build-Depends - CVE-2016-2513 -- Marc Deslauriers Thu, 25 Feb 2016 14:41:20 -0500 python-django (1.6.1-2ubuntu0.11) trusty-security; urgency=medium * SECURITY UPDATE: Settings leak possibility in date template filter - debian/patches/CVE-2015-8213.patch: check format type in django/utils/formats.py, added test to tests/i18n/tests.py. - CVE-2015-8213 -- Marc Deslauriers Wed, 18 Nov 2015 15:15:27 -0500 python-django (1.6.1-2ubuntu0.10) trusty-security; urgency=medium * SECURITY UPDATE: denial of service by filling session store - debian/patches/CVE-2015-596x.patch: don't create empty sessions in django/contrib/sessions/backends/base.py, django/contrib/sessions/backends/cached_db.py, django/contrib/sessions/middleware.py, added tests to django/contrib/sessions/tests.py, updated docs in docs/topics/http/sessions.txt. - CVE-2015-5963 - CVE-2015-5964 -- Marc Deslauriers Thu, 13 Aug 2015 11:49:44 -0400 python-django (1.6.1-2ubuntu0.9) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via empty session records - debian/patches/CVE-2015-5143.patch: avoid creating a session record when loading the session in django/contrib/sessions/backends/cache.py, django/contrib/sessions/backends/cached_db.py, django/contrib/sessions/backends/db.py, django/contrib/sessions/backends/file.py, added test to django/contrib/sessions/tests.py. - CVE-2015-5143 * SECURITY UPDATE: header injection via newlines - debian/patches/CVE-2015-5144.patch: check for newlines in django/core/validators.py, added tests to tests/validators/tests.py. - CVE-2015-5144 -- Marc Deslauriers Thu, 02 Jul 2015 11:34:04 -0400 python-django (1.6.1-2ubuntu0.8) trusty-security; urgency=medium * SECURITY UPDATE: denial-of-service possibility with strip_tags - debian/patches/CVE-2015-2316.patch: improve and fix infinite loop possibility in django/utils/html.py, added tests to tests/utils_tests/test_html.py, clarified documentation in docs/ref/templates/builtins.txt, docs/ref/utils.txt. - CVE-2015-2316 * SECURITY UPDATE: XSS attack via user-supplied redirect URLs - debian/patches/CVE-2015-2317.patch: reject URLs that start with control characters in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2015-2317 -- Marc Deslauriers Fri, 20 Mar 2015 10:34:50 -0400 python-django (1.6.1-2ubuntu0.7) trusty-proposed; urgency=medium * SRU LP: #1433376. * tests/utils_tests/test_jslex.py: Fix file encoding for python 2.7.9. -- Matthias Klose Wed, 18 Mar 2015 01:54:55 +0100 python-django (1.6.1-2ubuntu0.6) trusty-security; urgency=medium * SECURITY UPDATE: WSGI header spoofing via underscore/dash conflation - debian/patches/CVE-2015-0219.patch: strip headers with underscores in django/core/servers/basehttp.py, added blurb to docs/howto/auth-remote-user.txt, added test to tests/servers/test_basehttp.py. - CVE-2015-0219 * SECURITY UPDATE: Mitigated possible XSS attack via user-supplied redirect URLs - debian/patches/CVE-2015-0220.patch: filter url in django/utils/http.py, added test to tests/utils_tests/test_http.py. - CVE-2015-0220 * SECURITY UPDATE: Denial-of-service attack against django.views.static.serve - debian/patches/CVE-2015-0221.patch: limit large files in django/views/static.py, added test to tests/view_tests/media/long-line.txt, tests/view_tests/tests/test_static.py. - CVE-2015-0221 * SECURITY UPDATE: Database denial-of-service with ModelMultipleChoiceField - debian/patches/CVE-2015-0222.patch: check values in django/forms/models.py, added test to tests/model_forms/tests.py. - CVE-2015-0222 -- Marc Deslauriers Tue, 13 Jan 2015 07:47:48 -0500 python-django (1.6.1-2ubuntu0.5) trusty-proposed; urgency=medium * debian/patches/99_fix_multipart_base64_decoding_large_files.patch: Fix Multipart base64 file decoding with large files ensuring that the actual base64 content has a length a multiple of 4. (LP: #1363348) * debian/patches/ -- Andres Rodriguez Thu, 18 Sep 2014 17:46:45 -0500 python-django (1.6.1-2ubuntu0.4) trusty-security; urgency=medium * SECURITY UPDATE: incorrect url validation in core.urlresolvers.reverse - debian/patches/CVE-2014-0480.patch: prevent reverse() from generating URLs pointing to other hosts in django/core/urlresolvers.py, added tests to tests/urlpatterns_reverse/{tests,urls}.py. - CVE-2014-0480 * SECURITY UPDATE: denial of service via file upload handling - debian/patches/CVE-2014-0481.patch: remove O(n) algorithm in django/core/files/storage.py, updated docs in docs/howto/custom-file-storage.txt, docs/ref/files/storage.txt, added tests to tests/file_storage/tests.py, tests/files/tests.py. - CVE-2014-0481 * SECURITY UPDATE: web session hijack via REMOTE_USER header - debian/patches/CVE-2014-0482.patch: modified RemoteUserMiddleware to logout on REMOTE_USE change in django/contrib/auth/middleware.py, added test to django/contrib/auth/tests/test_remote_user.py. - CVE-2014-0482 * SECURITY UPDATE: data leak in contrib.admin via query string manipulation - debian/patches/CVE-2014-0483.patch: validate to_field in django/contrib/admin/{options,exceptions}.py, django/contrib/admin/views/main.py, added docs to docs/ref/exceptions.txt, added tests to tests/admin_views/tests.py. - debian/patches/CVE-2014-0483-bug23329.patch: regression fix in django/contrib/admin/options.py, added tests to tests/admin_views/{admin,models,tests}.py. - debian/patches/CVE-2014-0483-bug23431.patch: regression fix in django/contrib/admin/options.py, added tests to tests/admin_views/{admin,models,tests}.py. - CVE-2014-0483 -- Marc Deslauriers Tue, 09 Sep 2014 13:37:23 -0400 python-django (1.6.1-2ubuntu0.3) trusty-security; urgency=medium * SECURITY UPDATE: cache coherency problems in old Internet Explorer compatibility functions lead to loss of privacy and cache poisoning attacks. (LP: #1317663) - debian/patches/drop_fix_ie_for_vary_1_6.diff: remove fix_IE_for_vary() and fix_IE_for_attach() functions so Cache-Control and Vary headers are no longer modified. This may introduce some regressions for IE 6 and IE 7 users. Patch from upstream. - CVE-2014-1418 * SECURITY UPDATE: The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. - debian/patches/is_safe_url_1_6.diff: Forbid URLs starting with '///', forbid URLs without a host but with a path. Patch from upstream. -- Seth Arnold Wed, 14 May 2014 10:27:37 -0700 python-django (1.6.1-2ubuntu0.2) trusty-security; urgency=medium * SECURITY REGRESSION: security fix regression when a view is a partial (LP: #1311433) - debian/patches/CVE-2014-0472-regression.patch: create the lookup_str from the original function whenever a partial is provided as an argument to a url pattern in django/core/urlresolvers.py, added tests to tests/urlpatterns_reverse/urls.py, tests/urlpatterns_reverse/views.py. - CVE-2014-0472 -- Marc Deslauriers Tue, 22 Apr 2014 23:05:51 -0400 python-django (1.6.1-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: unexpected code execution using reverse() (LP: #1309779) - debian/patches/CVE-2014-0472.patch: added filtering to django/core/urlresolvers.py, added tests to tests/urlpatterns_reverse/nonimported_module.py, tests/urlpatterns_reverse/tests.py, tests/urlpatterns_reverse/urls.py, tests/urlpatterns_reverse/views.py. - CVE-2014-0472 * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token (LP: #1309782) - debian/patches/CVE-2014-0473.patch: don't cache responses with a cookie in django/middleware/cache.py, added tests to tests/cache/tests.py. - CVE-2014-0473 * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784) - debian/patches/CVE-2014-0474.patch: convert arguments to correct type in django/db/models/fields/__init__.py, updated docs in docs/howto/custom-model-fields.txt, docs/ref/databases.txt, docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to tests/model_fields/tests.py. - CVE-2014-0474 -- Marc Deslauriers Sat, 19 Apr 2014 08:50:48 -0400 python-django (1.6.1-2) unstable; urgency=medium * Team upload. * d/patches/ticket21869.diff: Cherry pick upstream fix for building documentation against Sphinx 1.2.1. -- Barry Warsaw Wed, 29 Jan 2014 18:37:51 +0000 python-django (1.6.1-1) unstable; urgency=medium * New upstream version. * Fix broken encoding in translations attribution. (Closes: #729194) -- Luke Faraone Thu, 12 Dec 2013 15:46:01 -0500 python-django (1.6-1) unstable; urgency=low * New upstream version. Closes: #557474, #724637. * python-django now also suggests the installation of ipython, bpython, python-django-doc, and libgdal1. Closes: #636511, #686333, #704203 * Set package maintainer to Debian Python Modules Team. * Bump standards version to 3.9.5, no changes needed. -- Luke Faraone Thu, 07 Nov 2013 15:33:49 -0500 python-django (1.5.4-1) unstable; urgency=high * New upstream security release. Fixes CVE-2013-1443. Closes: #723043. https://www.djangoproject.com/weblog/2013/sep/15/security/ - Denial-of-service via large passwords. CVE-2013-1443 -- Luke Faraone Sun, 15 Sep 2013 15:50:10 -0400 python-django (1.5.3-1) unstable; urgency=high * New upstream security release. Fixes CVE-2013-4315. Closes: #722605 https://www.djangoproject.com/weblog/2013/sep/10/security-releases-issued/ - Directory traversal with ssi template tag * Update doc-base file to drop some removed directory in the HTML doc. * Update Standards-Version to 3.9.4. * Bump debhelper compat level to 9. -- Raphaël Hertzog Fri, 13 Sep 2013 00:05:19 +0200 python-django (1.5.2-1) unstable; urgency=high * New upstream security release. https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/ - Cross-site scripting (XSS) in admin interface - Possible XSS via is_safe_url -- Luke Faraone Tue, 13 Aug 2013 16:49:39 -0400 python-django (1.5.1-2) unstable; urgency=low [ Jakub Wilk ] * Use canonical URIs for Vcs-* fields. [ Luke Faraone ] * Upload to unstable. -- Luke Faraone Thu, 09 May 2013 15:10:47 -0400 python-django (1.5.1-1) experimental; urgency=low * New upstream release. * Add self to uploaders field. -- Luke Faraone Thu, 28 Mar 2013 17:17:10 -0400 python-django (1.5-1) experimental; urgency=low * New upstream release. Closes: #646634, #663230, #436983 -- Luke Faraone Fri, 22 Mar 2013 17:52:30 -0400 python-django (1.4.5-1) unstable; urgency=high * New upstream maintenance release dropping some undesired .pyc files and fixing a documentation link. * High urgency due to former security updates. -- Raphaël Hertzog Sun, 24 Feb 2013 10:28:08 +0100 python-django (1.4.4-1) unstable; urgency=low * New upstream security and maintenance release. Closes: #701186 https://www.djangoproject.com/weblog/2013/feb/19/security/ Fixes mulptiple security issues: - Further fixes for Host header poisoning. CVE-2012-4520 - XML attacks via entity expansion. CVE-2013-1665 - Data leakage via admin history log. CVE-2013-0305 - Formset denial-of-service. CVE-2013-0306 * Add gettext to Suggests since it's required for django-admin compilemessages / makemessages. Closes: #700483 -- Raphaël Hertzog Sat, 23 Feb 2013 09:33:13 +0100 python-django (1.4.3-1) unstable; urgency=high * New upstream security and maintenance release. Closes: #696535 https://www.djangoproject.com/weblog/2012/dec/10/security/ * Drop debian/patches/01_fix-self-tests.diff, merged upstream. -- Raphaël Hertzog Wed, 26 Dec 2012 15:49:32 +0100 python-django (1.4.2-2) unstable; urgency=low * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py. Add upstream patch debian/patches/01_fix-self-tests.diff. Thanks to Jamie Strandboge for the report. Closes: #693752 LP: #1080204 -- Raphaël Hertzog Tue, 20 Nov 2012 08:28:37 +0100 python-django (1.4.2-1) unstable; urgency=high * New upstream security and maintenance release. Closes: #691145 Fixes: CVE-2012-4520 * Drop 01_use_stdlib_htmlparser_when_possible.diff which has been merged upstream. -- Raphaël Hertzog Mon, 22 Oct 2012 10:53:30 +0200 python-django (1.4.1-2) unstable; urgency=low * New patch 01_use_stdlib_htmlparser_when_possible.diff to not override Python stdlib's HTMLParser with Python versions which are unaffected by http://bugs.python.org/issue670664 Closes: #683648 Thanks to David Watson for the patch. * Update the above patch to use the version committed upstream (commit 57d9ccc). -- Raphaël Hertzog Tue, 21 Aug 2012 08:42:10 +0200 python-django (1.4.1-1) unstable; urgency=low * New upstream security and maintenance release. Closes: #683364 Fixes: CVE-2012-3442 CVE-2012-3443 CVE-2012-3444 * Drop 01_disable_broken_test.diff and 04_hyphen-manpage.diff which have been merged upstream. -- Raphaël Hertzog Thu, 02 Aug 2012 10:44:02 +0200 python-django (1.4-1) unstable; urgency=low * New upstream release. Closes: #666003 * Fix watch file to correctly extract the version number from the URL. * Updated Standards-Version to 3.9.3 (no change needed). * Drop 01_disable_url_verify_regression_tests.diff since upstream test suite has been modified to work even without internet connection. * Update 04_hyphen-manpage.diff to apply again. * Drop 05_fix_djangodocs_sphinx_ext.diff which has been merged upstream. * Update 06_use_debian_geoip_database_as_default.diff to apply on renamed file. * Drop 07_fix_for_sphinx1.1.2.diff merged upstream. * Drop 08_fix_test_week_view_allow_future.diff, merged upstream. * Add 01_disable_broken_test.diff to disable a test that fails with the current python 2.7 version in Debian. -- Raphaël Hertzog Sat, 31 Mar 2012 14:48:00 +0200 python-django (1.3.1-4) unstable; urgency=medium * Add 08_fix_test_week_view_allow_future.diff to fix a regression test that only worked in 2011. Closes: #655666 -- Raphaël Hertzog Tue, 17 Jan 2012 08:55:58 +0100 python-django (1.3.1-3) unstable; urgency=low * Add 06_use_debian_geoip_database_as_default.diff to use the default location of the GeoIP database used by the Debian package geoip-database-contrib. Closes: #645094 Add this package to suggests. Thanks to Tapio Rantala for the patch. * Bump build-dep on python-sphinx to 1.0.8 to ensure we have a version where #641710 is fixed. Closes: #647134 * Add 07_fix_for_sphinx1.1.2.diff to fix build with Sphinx 1.1.2. Thanks to Jakub Wilk for the advance warning. Closes: #649624 -- Raphaël Hertzog Mon, 28 Nov 2011 09:03:13 +0100 python-django (1.3.1-2) unstable; urgency=low * Update Build-Depends on locales to included a version requirement so that locales-all cannot satisfy it with its Provides: locales. Thanks to Jakub Wilk for the suggestion. * Enable 02_disable-sources-in-sphinxdoc.diff since #641710 has been fixed. * Add 05_fix_djangodocs_sphinx_ext.diff to support Sphinx 1.0.8. Closes: #643758 -- Raphaël Hertzog Wed, 12 Oct 2011 08:45:26 +0200 python-django (1.3.1-1) unstable; urgency=low * New upstream release. It includes security updates described here: https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/ Closes: #641405 * Update 01_disable_url_verify_regression_tests.diff and merge 07_disable_url_verify_model_tests.diff into it. * Update patch headers to conform to DEP-3. * Apply patch from Steve Langasek to dynamically build the UTF-8 locale required by the test-suite instead of build-depending on locales-all. Closes: #630421 * Use "dh --with sphinxdoc" to clean up the Sphinx generated documentation and avoid the embedded-javascript-library lintian warning. Build-Depends on python-sphinx >= 1.0.7+dfsg-1 for this and also add ${sphinxdoc:Depends} to python-django-doc Depends field. * Cleanup build-dependencies now that even oldstable has python 2.5. * Switch to dh_python2 as python helper tool. Drop legacy files debian/pyversions and debian/pycompat. * New patch 02_disable-sources-in-sphinxdoc.diff to not generate the _sources directory that we used to remove manually within the rules file. But must be kept disabled until #641710 is fixed. * Properly support DEB_BUILD_OPTIONS=nocheck despite the override of dh_auto_test. -- Raphaël Hertzog Thu, 15 Sep 2011 12:43:51 +0200 python-django (1.3-2) unstable; urgency=low * Team upload. [ Chris Lamb ] * Don't remove "backup~" test file - upstream did ship it; we were just removing it with dh_clean. [ Piotr Ożarowski ] * Fix builds with non-default Python versions installed * Bump Standards-Version to 3.9.2 (no changes needed) -- Piotr Ożarowski Mon, 02 May 2011 22:23:37 +0200 python-django (1.3-1) unstable; urgency=low * New upstream release. - Update 01_disable_url_verify_regression_tests.diff. - Update 07_disable_url_verify_model_tests.diff. - Merge patch from Krzysztof Klimonda to disable more network access tests. (Closes: #598674) * Add workaround for missing "backup~" file in release tarball. See . -- Chris Lamb Thu, 24 Mar 2011 15:04:53 +0000 python-django (1.2.5-1) unstable; urgency=low * New upstream release. * Do not compress objects.inv used by Sphinx generated documentation. Thanks to Michael Fladischer for the report. Closes: #608769 -- Raphaël Hertzog Sat, 12 Feb 2011 08:59:33 +0100 python-django (1.2.4-1) unstable; urgency=high * New bugfix-only upstream release. It includes security fixes. http://www.djangoproject.com/weblog/2010/dec/22/security/ * Drop patches merged upstream: - debian/patches/05_fix_regression_tests.diff - debian/patches/06_fix_regression_tests.diff * Update 01_disable_url_verify_regression_tests.diff to cope with the updated regressions tests. * Update 03_manpage.diff and 04_hyphen-manpage.diff to cope with changes in the manual page. -- Raphaël Hertzog Fri, 31 Dec 2010 11:40:28 +0100 python-django (1.2.3-2) unstable; urgency=low * Team upload. * Disable model tests that require an internet connection. Closes: #601070 * Include python.mk conditionally as explained in its header. Helps backports to Lenny which has no python.mk. Closes: #601608 -- Evgeni Golov Thu, 28 Oct 2010 12:37:15 +0200 python-django (1.2.3-1) unstable; urgency=low [ Krzysztof Klimonda ] * New upstream release. Closes: #596893 LP: #636482 * Fixes both a XSS vulnerability introduced in 1.2 series and the regressions caused by 1.2.2 release. Closes: #596205 * debian/control: - depend on language packs for en_US.utf8 locales required for unit tests. * debian/rules: - re-enable build time tests. - set LC_ALL to en_US.utf8 for test suite. * debian/patches/series: - two new patches: 05_fix_regression_tests.diff and 06_fix_regression_tests.diff backported from 1.2.x branch to fix test suite failures. [ Raphaël Hertzog ] * Update Standards-Version to 3.9.1. * Drop "--with quilt" and quilt build-dependency since the package is already using source format "3.0 (quilt)". -- Raphaël Hertzog Sat, 18 Sep 2010 19:37:03 +0200 python-django (1.2.1-1) unstable; urgency=low * New upstream bugfix release. -- Chris Lamb Mon, 24 May 2010 22:44:32 +0100 python-django (1.2-1) unstable; urgency=low * New upstream stable release. -- Chris Lamb Fri, 21 May 2010 07:52:55 +0100 python-django (1.2~rc1-1) experimental; urgency=low * New upstream release candidate. * Remove "02-embedded_code_copies.diff" - not needed anymore. * Refresh "01_disable_url_verify_regression_tests.diff". * Refresh "04_hyphen-manpage.diff". * Temporarily disable test runner due to failing date-related tests. -- Chris Lamb Thu, 06 May 2010 10:25:10 +0100 python-django (1.2~beta1-1) experimental; urgency=low * New upstream development release. * Switch to dpkg-source 3.0 (quilt) format * Bump Standards-Version to 3.8.4. * Remove "0.96 -> 1.x" NEWS entry. * jQuery added to admin system upstream: - Add libjs-jquery to python-django's Recommends - Use symlinks so we use the version from libjs-query over an embedded code copy. -- Chris Lamb Tue, 09 Feb 2010 13:47:34 +0000 python-django (1.2~alpha1-1) experimental; urgency=low * New upstream development release: This is the first in a series of preview/development releases leading up to the eventual release of Django 1.2, currently scheduled to take place in March 2010. * Update "01_disable_url_verify_regression_tests.diff" - tests now use the unittest module instead of doctests. * Update "02-embedded_code_copies.diff". * Remove "05_ftbfs_in_november.diff" - applied upstream. * Remove "06_python_2.6.3_regression.diff" - applied upstream. * Update dh_auto_test - database engine is set differently in 1.2. * Remove useless ._DS_Store files. -- Chris Lamb Wed, 06 Jan 2010 14:34:37 +0000 python-django (1.1.1-2) unstable; urgency=low * Remove embedded "decimal" code copy and use system version instead. The "doctest" code copy cannot be removed as parts of Django depend on modified behaviour. (Closes: #555419) * Fix FTBFS in November by applying patch from upstream bug #12125. (Closes: #555931) * Fix FTBFS under Python 2.6.3 by applying patch from upstream bug #11993. (Closes: #555969) -- Chris Lamb Tue, 01 Dec 2009 23:46:22 +0000 python-django (1.1.1-1) unstable; urgency=high * New upstream security release - fixes pathological regular expression backtracking performance in URL and email fields which can be used as part of a denial of service attack. * Set Maintainer: to myself with thanks to Brett Parker. * Bump versioned build dependency on quilt to help backporters. (Closes: #547955) -- Chris Lamb Sat, 10 Oct 2009 10:17:52 +0100 python-django (1.1-4) unstable; urgency=low * Sourceful upload to drop dependency on Python 2.4. -- Chris Lamb Mon, 24 Aug 2009 08:16:11 +0100 python-django (1.1-3) unstable; urgency=low * Disable regression tests that require an internet connection. Patch by Krzysztof Klimonda . (Closes: #542996) * Bump Standards-Version to 3.8.3. -- Chris Lamb Sun, 23 Aug 2009 18:13:18 +0100 python-django (1.1-2) unstable; urgency=low * Run testsuite on build. * Use "--with quilt" over specifying $(QUILT_STAMPFN)/unpatch dependencies. * Override clean target correctly. -- Chris Lamb Fri, 14 Aug 2009 08:06:29 +0100 python-django (1.1-1) unstable; urgency=low * New upstream release. * Merge from experimental: - Ship FastCGI initscript and /etc/default file in python-django's examples directory (Closes: #538863) - Drop "05_10539-sphinx06-compatibility.diff"; it has been applied upstream. - Bump Standards-Version to 3.8.2. -- Chris Lamb Wed, 29 Jul 2009 11:26:28 +0200 python-django (1.0.2-7) unstable; urgency=low * Fix compatibility with Python 2.6 and Python transitions in general. Thanks to Krzysztof Klimonda . -- Chris Lamb Sat, 16 May 2009 00:09:47 +0100 python-django (1.0.2-6) unstable; urgency=low * Backport patch from to fix FTBFS when using python-sphinx >= 0.6. (Closes: #527492) -- Chris Lamb Sun, 10 May 2009 22:11:09 +0100 python-django (1.0.2-5) unstable; urgency=low * Fix issue where newly created projects do not have their manage.py file executable. -- Chris Lamb Thu, 26 Mar 2009 23:42:14 +0000 python-django (1.0.2-4) unstable; urgency=low * Programatically replace most references to "django-admin.py" with "django-admin" in the generated documentation. (Closes: #519937) * Bump Standards-Version to 3.8.1; no changes. -- Chris Lamb Tue, 24 Mar 2009 00:50:26 +0000 python-django (1.0.2-3) unstable; urgency=low * Split documentation into a separate python-django-doc package due to size (approximately 6Mb). -- Chris Lamb Tue, 10 Mar 2009 21:13:57 +0000 python-django (1.0.2-2) unstable; urgency=low * Don't rely on the internal layout of python-support. (Closes: #517052) * Move to debhelper-based packaging for operational clarity: - Remove bashisms from binary-post-install. - Use quilt instead of simple-patchsys.mk and adjust existing patches so that we can apply with -p1 for the "quilt" source package type. * Adjust Build-Depends: - Bump debhelper requirement 7.0.50 for override_* feature. - Drop cdbs, python-dev and python-setuptools requirement. - Just Build-Depend on `python', not `python-dev'. - Drop versions on Build-Depends where they are satisfied in current oldstable (ie. etch). * debian/control: - Add python-sqlite to Suggests. - Remove repeated 'Priority' line in binary package stanza. - Update crufty long and short descriptions. - Add ${misc:Depends} in binary stanza for debhelper-using package. -- Chris Lamb Sun, 08 Mar 2009 06:01:59 +0000 python-django (1.0.2-1) unstable; urgency=low [ Chris Lamb ] * New upstream bugfix release. Closes: #505783 * Add myself to Uploaders with ACK from Brett. [ David Spreen ] * Remove python-pysqlite2 from Recommends because Python 2.5 includes sqlite library used by Django. Closes: 497886 [ Sandro Tosi ] * debian/control - switch Vcs-Browser field to viewsvn -- Chris Lamb Wed, 19 Nov 2008 21:31:00 +0000 python-django (1.0-1) unstable; urgency=low [ David Spreen ] * New _stable_ upstream release. [ Raphael Hertzog ] * This version fixes the latest security issue: http://www.djangoproject.com/weblog/2008/sep/02/security/ Closes: #497765 * Don't include source files of documentation in the binary package, keep only the HTML version. * Updated README.Debian with information about the switch from 0.96 to 1.0. * Remove execute right on /etc/bash_completion.d/django_bash_completion * Add debian/patches/04_hyphen-manpage.diff to fix a lintian message (hyphen-used-as-minus-sign usr/share/man/man1/django-admin.1.gz:156). * Don't compress javascript files. * Add libjs-jquery to Recommends since it's used by the HTML documentation. -- Raphael Hertzog Thu, 04 Sep 2008 08:33:32 +0200 python-django (1.0~beta2+ds-1) unstable; urgency=low * Bumping up upstream version to push sources into unstable. (Thanks to Raphael Hertzog). -- David Spreen Sat, 30 Aug 2008 20:56:09 -0700 python-django (1.0~beta2-3) unstable; urgency=low [ David Spreen ] * Updated the copyright information to include copyright and licenses for individual contributions. * Added the documentation to the main python-django package: * debian/python-django.install - Added installation of html documentation. * debian/python-django.doc-base - Added. * debian/control - Added Build-Depends-Indep on python-sphinx and libjs-jquery. * debian/rules - Readded code to build documentation. - Readded code to link to libjs-jquery. * debian/NEWS - Fixed format. - Added more comprehensive list of changes and references to local documentation as well as the wiki pages for backwards-incompatible changes. * debian/python-django.docs - Removed docs/*.txt since those are templates for the generated docs now included with doc-base. -- David Spreen Fri, 29 Aug 2008 09:20:45 -0700 python-django (1.0~beta2-2) unstable; urgency=low [ David Spreen ] * Removed all -doc related files temporarily to push beta2 into unstable for extensive testing. The -doc package will be readded once this package is in unstable as recommended in http://lists.debian.org/debian-release/2008/08/msg01475.html. * debian/python-django-doc.install - Removed. * debian/python-django-doc.doc-base - Removed. * debian/python-django-doc.examples - Moved to python-django.examples. * debian/rules - Removed python-doc related build and post-installation. * debian/control - Removed binary package python-django-doc. - Removed Build-Depends-Indep on python-sphinx and libjs-jquery. * debian/python-django.install: - Removed multiple package related issues. -- David Spreen Thu, 28 Aug 2008 20:15:21 -0700 python-django (1.0~beta2-1) experimental; urgency=low [ David Spreen ] * The `hooray for the documentation' release! * New upstream beta release. * debian/control - Updated standards version. - Added python-sphinx and libjs-jquery. - Added python-django-doc package depending on libjs-jquery. * debian/docs - Moved to debian/python-django.docs. * debian/install - Moved to debian/python-django.install. * debian/manpages - Moved to debian/python-django.manpages. * debian/examples - Moved to debian/python-django-doc.examples * debian/README.Debian - Moved to debian/python-django.README.Debian * debian/python-django-doc.doc-base: - Added doc-base file for the documentation. * debian/python-django-doc.install: - Added install file for sphinx generated documentation. * debian/rules: - Added code to generate documentation with sphinx and replace convenience file of jquery.js with the respective symlink to libjs-jquery. -- David Spreen Thu, 28 Aug 2008 10:22:29 -0700 python-django (1.0~beta1-1) experimental; urgency=low [ David Spreen ] * New upstream beta release. Closes: #492956 * debian/control: Added myself to Uploaders field. * debian/watch: Added mangling for filename and version. Old watch file would name the download 'tarball'. Also added mangling to handle alpha and beta versioning. * Drop debian/patches/01_add_shebang.diff as this has been fixed upstream. * Drop debian/patches/02_bash_completion.diff as this has been committed upstream http://code.djangoproject.com/ticket/7268. * debian/control: Added python-flup to the Suggest field. Closes: #488123 * debian/patches/03_manpage.diff: Adapted patch to new upstream version. [ Jan Dittberner ] * add debian/watch file. -- David Spreen Fri, 15 Aug 2008 16:05:07 -0700 python-django (0.97~svn7534-1) experimental; urgency=low * New upstream snapshot. Closes: #409565, #481051 - Include an XSS security fix (CVE-2008-2302). Closes: #481164 * Drop debian/patches/04_pg_version_fix.diff as another fix has been committed upstream (see http://code.djangoproject.com/ticket/6433 and http://code.djangoproject.com/changeset/7415). * Add some headers to the remaining patches. -- Raphael Hertzog Mon, 19 May 2008 23:41:50 +0200 python-django (0.97~svn7189-1) experimental; urgency=low * New upstream snapshot including bash completion fix Closes: #450913 -- Brett Parker Sun, 02 Mar 2008 12:59:03 +0000 python-django (0.97~svn7047-2) experimental; urgency=low [ Brett Parker ] * Patch for postgresql version issue with 8.3 beta/rc releases Closes: #462058 [ Raphael Hertzog ] * Updated Standards-Version to 3.7.3. * Adjusted build-dependency on python-setuptools to strip the -1 part. -- Brett Parker Wed, 6 Feb 2008 15:15:37 +0000 python-django (0.97~svn7047-1) experimental; urgency=low * New upstream snapshot (rev 7047) - tarball prepared by Gabriel Falcão Gonçalves de Moura -- Gustavo Noronha Silva Tue, 29 Jan 2008 10:54:47 -0200 python-django (0.97~svn6996-1) experimental; urgency=low * New upstream snapshot * debian/control: - added myself to Uploaders -- Gustavo Noronha Silva Sat, 05 Jan 2008 20:53:23 -0200 python-django (0.97~svn6668-2) UNRELEASED; urgency=low [ Raphael Hertzog ] * Install examples with dh_installexamples instead of dh_installdocs (change done by Ubuntu) as empty files are kept. [ Sandro Tosi ] * debian/control - uniforming Vcs-Browser field -- Raphael Hertzog Mon, 17 Dec 2007 09:09:16 +0100 python-django (0.97~svn6668-1) experimental; urgency=low * New SVN snapshot (rev 6668) - Auth system delegations - Apps can now have thier own management commands - Fix for CVE-2007-5712 remote denial of service Closes: #448838 * Fix missing upstream info in changelog Closes: #450659 -- Brett Parker Sun, 11 Nov 2007 10:15:55 +0000 python-django (0.96+svn6373-1) experimental; urgency=low [ Raphael Hertzog ] * New SVN snapshot (rev 6373, a few days after the last Django sprint). * Note: The version 0.96+svn6034-1 never got uploaded. * Rename XS-Vcs* fields to Vcs-* since they are now supported by dpkg. [ Piotr Ożarowski ] * XS-Vcs-Browser and Homepage fields added -- Raphael Hertzog Thu, 04 Oct 2007 14:59:01 +0200 python-django (0.96+svn6034-1) experimental; urgency=low [ Brett Parker] * New SVN snapshot (rev 6034). * validate and runserver commands now display the number of errors (returning back to previous functionality). * Small documentation fixes * assertRedirects handling for paths with get data * start{project,app} no make sure files created are writable * Add man page for django-admin to the debian package -- Brett Parker Sat, 8 Sep 2007 10:37:00 +0100 python-django (0.96+svn6020-1) experimental; urgency=low * New SVN snapshot (rev 6020). -- Raphael Hertzog Sun, 26 Aug 2007 18:16:08 +0200 python-django (0.96+svn5779-1) experimental; urgency=low * SVN snapshot (rev 5779) packaged to experimental as many interesting Django applications rely on newer unreleased features. -- Raphael Hertzog Tue, 31 Jul 2007 13:40:18 +0200 python-django (0.96-1) unstable; urgency=low [ Brett Parker ] * New upstream release - introduces some backwards incompatible changes, see README.Debian or the backwards incompatible changes page at http://code.djangoproject.com/wiki/BackwardsIncompatibleChanges * Add documentation from upstream to /usr/share/doc/python-django Closes: #411249 * Install the bash completion file from extras in to /etc/bash_completion.d/django_bash_completion Closes: #414399 * Egg support dropped as it's been dropped by upstream. -- Brett Parker Sun, 25 Mar 2007 19:18:39 +0100 python-django (0.95.1-1) unstable; urgency=low [ Brett Parker ] * New upstream minor release for security bugs: - http://www.djangoproject.com/weblog/2007/jan/21/0951/ - Fixes a small security vulnerability in the script Django's internationalization system uses to compile translation files (changeset 4360 in the "0.95-bugfixes" branch). - fix for a bug in Django's authentication middleware which could cause apparent "caching" of a logged-in user (changeset 4361). - patch which disables debugging mode in the flup FastCGI package Django uses to launch its FastCGI server, which prevents tracebacks from bubbling up during production use (changeset 4363). Closes: #407786, #407607 * Sets Recommends to python-psycopg and moves other database engines to the Suggests field. [ Raphael Hertzog ] * Use python-pysqlite2 as default database engine in Recommends. Others are in Suggests. Closes: #403761 * Add python-psycopg2 in Suggests. Closes: #407489 -- Raphael Hertzog Sun, 21 Jan 2007 17:45:50 +0100 python-django (0.95-3) unstable; urgency=low * Integrate 2 upstream changesets: - http://code.djangoproject.com/changeset/3754 as debian/patches/04_sec_fix_auth.diff Fixes a possible case of mis-authentication due to bad caching. Closes: #407521 - http://code.djangoproject.com/changeset/3592 as debian/patches/03_sec_fix_compile-messages.diff Fixes an (unlikely) arbitrary command execution if the user is blindly running compile-messages.py on a untrusted set of *.po files. Closes: #407519 -- Raphael Hertzog Sat, 16 Dec 2006 15:13:29 +0100 python-django (0.95-2) unstable; urgency=low [ Piotr Ozarowski ] * Added XS-Vcs-Svn field [ Brett Parker ] * Made manage.py get a shebang with the version of python used when running django-admin (closes: #401616) * Created a convenience /usr/lib/python-django/bin symlink. [ Raphael Hertzog ] * Adapted Brett's work to better fit my views of the packaging. -- Raphael Hertzog Sat, 16 Dec 2006 11:03:20 +0100 python-django (0.95-1) unstable; urgency=low [ Brett Parker ] * 0.95 release - initial packaging [ Raphael Hertzog ] * Fix recommends: s/python-sqlite/python-pysqlite2/ * Add debian/pyversions to ensure that we have at least python 2.3 (and to work around bug #391689 of python-support). -- Raphael Hertzog Mon, 9 Oct 2006 12:10:27 +0200