Package: python-django | Debian Sources

Package: python-django / 1.4.5-1+deb7u16

Metadata

Package	Version	Patches format
python-django	1.4.5-1+deb7u16	3.0 (quilt)

Patch series

view the series file

Patch	File delta	Description
02_disable sources in sphinxdoc.diff \| (download)	docs/conf.py \| 5 4 + 1 - 0 ! 1 file changed, 4 insertions(+), 1 deletion(-)	disable creation of _sources directory by sphinx We do this to save some space as the sources of the documentation are not really useful in a binary package. . This is a Debian specific patch.
03_manpage.diff \| (download)	docs/man/django-admin.1 \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	update manual page to refer to django-admin instead of django-admin.py Update the manual page to speak of django-admin instead of django-admin.py as that's the name used by the Debian package. . This is a Debian specific patch.
06_use_debian_geoip_database_as_default.diff \| (download)	django/contrib/gis/geoip/base.py \| 20 11 + 9 - 0 ! 1 file changed, 11 insertions(+), 9 deletions(-)	use debian geoip database path as default Default to Debian standard path for GeoIP directory and for GeoIP city file. Avoids the need to declare them in each project. . This is a Debian specific patch. Bug-Debian: http://bugs.debian.org/645094
is_safe_url 1.4.diff \| (download)	django/contrib/auth/tests/views.py \| 8 6 + 2 - 0 ! django/utils/http.py \| 7 4 + 3 - 0 ! 2 files changed, 10 insertions(+), 5 deletions(-)	possible xss via ``is_safe_url`` A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the ``login`` view in ``django.contrib.auth.views``, which accepts such a parameter to determine where to send a user following successful login. A utility function -- ``django.utils.http.is_safe_url()`` -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings. The ``is_safe_url()`` function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as ``javascript:``. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response. To remedy this issue, the ``is_safe_url()`` function will be modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.
uri fix.diff \| (download)	tests/modeltests/validation/tests.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	use name that won't resolve in tests.
ssi tag 1.4.diff \| (download)	django/template/defaulttags.py \| 2 2 + 0 - 0 ! tests/regressiontests/templates/tests.py \| 31 31 + 0 - 0 ! 2 files changed, 33 insertions(+)	directory traversal with ``ssi`` template tag Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``.
password dos.diff \| (download)	django/contrib/auth/forms.py \| 51 37 + 14 - 0 ! django/contrib/auth/hashers.py \| 28 27 + 1 - 0 ! django/contrib/auth/tests/hashers.py \| 64 63 + 1 - 0 ! 3 files changed, 127 insertions(+), 16 deletions(-)	ensure that passwords are never long enough for a dos. * Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. Some changes were stripped from this patch since they also apply fixes to UnsaltedSHA1PasswordHasher which is not shipped in the version of Django in Debian.
password 2.5 compat.diff \| (download)	django/contrib/auth/tests/hashers.py \| 18 9 + 9 - 0 ! 1 file changed, 9 insertions(+), 9 deletions(-)	removed usage of b"" string syntax for python 2.5 compatibility.
reverse execution 1.4.x.patch \| (download)	django/core/urlresolvers.py \| 22 21 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/nonimported_module.py \| 3 3 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/tests.py \| 23 22 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 1 1 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 4 4 + 0 - 0 ! 5 files changed, 51 insertions(+), 2 deletions(-)	unexpected code execution using ``reverse()`` Django's URL handling is based on a mapping of regex patterns (representing the URLs) to callable views, and Django's own processing consists of matching a requested URL against those patterns to determine the appropriate view to invoke. Django also provides a convenience function -- ``django.core.urlresolvers.reverse()`` -- which performs this process in the opposite direction. The ``reverse()`` function takes information about a view, and returns a URL which would invoke that view. Use of ``reverse()`` is encouraged for application developers, as the output of ``reverse()`` is always based on the current URL patterns, meaning developers do not need to change other code when making changes to URLs. One argument signature for ``reverse()`` is to pass a dotted Python path to the desired view. In this situation, Django will import the module indicated by that dotted path as part of generating the rsulting URL. If such a module has import-time side effects, those side effects will occur. Thus it is possible for an attacker to cause unexpected code execution, given the following conditions: 1. One or more views are present which construct a URL based on user input (commonly, a "next" parameter in a querystring indicating where to redirect upon successful completion of an action). 2. One or more modules known to an attacker to exist on the server's Python import path, which perform code execution with side effects on importing. To remedy this, ``reverse()`` will now only accept and import dotted paths based on the view-containing modules listed in the project's URL pattern configuration, so as to ensure that only modules the developer intended to be imported in this fashion can or will be imported.
cache csrf 1.4.x.patch \| (download)	django/middleware/cache.py \| 10 9 + 1 - 0 ! tests/regressiontests/cache/tests.py \| 27 27 + 0 - 0 ! 2 files changed, 36 insertions(+), 1 deletion(-)	prevent leaking the csrf token through caching. Django includes both a caching framework and a system for preventing cross-site request forgery (CSRF) attacks. The CSRF-protection system is based on a random nonce sent to the client in a cookie which must be sent by the client on future requests, and in forms a hidden value which must be submitted back with the form. The caching framework includes an option to cache responses to anonymous (i.e., unauthenticated) clients. When the first anonymous request to a given page was by a client which did not have a CSRF cookie, the cache framework will also cache the CSRF cookie, and serve the same nonce to other anonymous clients who do not have a CSRF cookie. This allows an attacker to obtain a valid CSRF cookie value and perform attacks which bypass the check for the cookie. To remedy this, the caching framework will no longer cache such responses. The heuristic for this will be: 1. If the incoming request did not submit any cookies, and 2. The response did send one or more cookies, and 3. The ``Vary: Cookie`` header is set on the response, then the response will not be cached.
mysql typecast 1.4.x.diff \| (download)	django/db/models/fields/__init__.py \| 16 15 + 1 - 0 ! docs/howto/custom-model-fields.txt \| 10 10 + 0 - 0 ! docs/ref/databases.txt \| 16 16 + 0 - 0 ! docs/ref/models/querysets.txt \| 10 10 + 0 - 0 ! docs/topics/db/sql.txt \| 10 10 + 0 - 0 ! tests/regressiontests/model_fields/tests.py \| 94 93 + 1 - 0 ! 6 files changed, 154 insertions(+), 2 deletions(-)	mysql typecasting protection The MySQL database is known to "typecast" on certain queries; for example, when querying a table which contains string values, but using a query which filters based on an integer value, MySQL will first silently coerce the strings to integers, and return a result based on that. Django's model field classes are aware of their own types, and most such classes perform explicit conversion of query arguments to the correct database-level type before querying. However, three model field classes did not correctly convert their arguments: * ``FilePathField`` * ``GenericIPAddressField`` * ``IPAddressField`` These three fields have been updated to convert their arguments to the correct types before querying. Additionally, developers of custom model fields are now warned via documentation to ensure their custom field classes will perform appropriate type conversions, and users of the ``raw()`` and ``extra()`` query methods -- which allow the developer to supply raw SQL or SQL fragments -- will be advised to ensure they perform appropriate manual type conversions prior to executing queries.
2601.patch \| (download)	django/core/urlresolvers.py \| 4 4 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 6 5 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 10 10 + 0 - 0 ! 3 files changed, 19 insertions(+), 1 deletion(-)	fixed #22486: reverse raises attributeerror on partial functions. Create the lookup_str from the original function whenever a partial is provided as an argument to a url pattern.
is_safe_url_1_4.diff \| (download)	django/contrib/auth/tests/views.py \| 12 8 + 4 - 0 ! django/utils/http.py \| 12 12 + 0 - 0 ! tests/regressiontests/utils/http.py \| 30 30 + 0 - 0 ! 3 files changed, 50 insertions(+), 4 deletions(-)	malformed urls from user input incorrectly validated (cve-2014-3730) The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security checks for these redirects (namely ``django.util.http.is_safe_url()``) did not correctly validate some malformed URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers with more liberal URL parsing. To remedy this, the validation in ``is_safe_url()`` has been tightened to be able to handle and correctly validate these malformed URLs.
drop_fix_ie_for_vary_1_4.diff \| (download)	django/core/handlers/base.py \| 2 0 + 2 - 0 ! django/http/utils.py \| 54 0 + 54 - 0 ! tests/regressiontests/utils/http.py \| 44 0 + 44 - 0 ! 3 files changed, 100 deletions(-)	caches may be allowed to store and serve private data (cve-2014-1418) In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests
FTBFS exception in servers tests tear down.patch \| (download)	tests/regressiontests/servers/tests.py \| 2 2 + 0 - 0 ! 1 file changed, 2 insertions(+)	fix exception in servers tests tear down
admin data leak 1.4.diff \| (download)	django/contrib/admin/exceptions.py \| 6 6 + 0 - 0 ! django/contrib/admin/options.py \| 18 18 + 0 - 0 ! django/contrib/admin/views/main.py \| 6 5 + 1 - 0 ! tests/regressiontests/admin_views/tests.py \| 21 17 + 4 - 0 ! 4 files changed, 46 insertions(+), 5 deletions(-)	---
file upload 1.4.diff \| (download)	django/core/files/storage.py \| 11 5 + 6 - 0 ! django/utils/six.py \| 9 9 + 0 - 0 ! docs/howto/custom-file-storage.txt \| 12 10 + 2 - 0 ! docs/ref/files/storage.txt \| 16 13 + 3 - 0 ! tests/modeltests/files/tests.py \| 21 13 + 8 - 0 ! tests/regressiontests/file_storage/tests.py \| 23 14 + 9 - 0 ! 6 files changed, 64 insertions(+), 28 deletions(-)	---
remote user 1.4.diff \| (download)	django/contrib/auth/middleware.py \| 28 25 + 3 - 0 ! django/contrib/auth/tests/remote_user.py \| 18 18 + 0 - 0 ! 2 files changed, 43 insertions(+), 3 deletions(-)	---
reverse 1.4.diff \| (download)	django/core/urlresolvers.py \| 2 2 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/tests.py \| 3 3 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 3 3 + 0 - 0 ! 3 files changed, 8 insertions(+)	---
CVE 2015 0219.diff \| (download)	django/core/servers/basehttp.py \| 11 11 + 0 - 0 ! tests/regressiontests/servers/servers/test_basehttp.py \| 67 67 + 0 - 0 ! 2 files changed, 78 insertions(+)	---
CVE 2015 0219 fix.diff \| (download)	django/core/servers/basehttp.py \| 33 0 + 33 - 0 ! tests/regressiontests/servers/servers/test_basehttp.py \| 67 0 + 67 - 0 ! tests/regressiontests/servers/tests.py \| 67 66 + 1 - 0 ! 3 files changed, 66 insertions(+), 101 deletions(-)	[patch] [1.4.x] fixed #24238 -- removed unused WSGIRequestHandler.get_environ() Also moved the test as it wasn't running.
CVE 2015 0220.diff \| (download)	django/utils/http.py \| 1 1 + 0 - 0 ! tests/regressiontests/utils/http.py \| 7 4 + 3 - 0 ! 2 files changed, 5 insertions(+), 3 deletions(-)	---
CVE 2015 0221.diff \| (download)	django/views/static.py \| 7 5 + 2 - 0 ! tests/regressiontests/views/media/long-line.txt \| 1 1 + 0 - 0 ! tests/regressiontests/views/tests/static.py \| 26 18 + 8 - 0 ! 3 files changed, 24 insertions(+), 10 deletions(-)	---
CVE 2015 0221 regression fix.diff \| (download)	django/middleware/gzip.py \| 25 17 + 8 - 0 ! django/utils/text.py \| 33 33 + 0 - 0 ! tests/regressiontests/middleware/tests.py \| 13 13 + 0 - 0 ! 3 files changed, 63 insertions(+), 8 deletions(-)	---
CVE 2015 2317.diff \| (download)	django/utils/http.py \| 9 8 + 1 - 0 ! tests/regressiontests/utils/http.py \| 4 3 + 1 - 0 ! 2 files changed, 11 insertions(+), 2 deletions(-)	[patch] [1.4.x] made is_safe_url() reject urls that start with control characters. This is a security fix; disclosure to follow shortly.
session 1.4.x.diff \| (download)	django/contrib/sessions/backends/cache.py \| 6 4 + 2 - 0 ! django/contrib/sessions/backends/cached_db.py \| 5 3 + 2 - 0 ! django/contrib/sessions/backends/db.py \| 5 3 + 2 - 0 ! django/contrib/sessions/backends/file.py \| 7 4 + 3 - 0 ! django/contrib/sessions/tests.py \| 19 19 + 0 - 0 ! 5 files changed, 33 insertions(+), 9 deletions(-)	---
newlines 1.4.x.diff \| (download)	django/core/validators.py \| 26 15 + 11 - 0 ! tests/modeltests/validators/tests.py \| 16 15 + 1 - 0 ! 2 files changed, 30 insertions(+), 12 deletions(-)	---
session store 1.4.x.diff \| (download)	django/contrib/sessions/backends/base.py \| 9 8 + 1 - 0 ! django/contrib/sessions/backends/cached_db.py \| 2 1 + 1 - 0 ! django/contrib/sessions/middleware.py \| 46 27 + 19 - 0 ! django/contrib/sessions/tests.py \| 70 70 + 0 - 0 ! docs/topics/http/sessions.txt \| 13 9 + 4 - 0 ! 5 files changed, 115 insertions(+), 25 deletions(-)	---
date leak 1.4.x.diff \| (download)	django/utils/formats.py \| 20 20 + 0 - 0 ! tests/regressiontests/i18n/tests.py \| 3 3 + 0 - 0 ! 2 files changed, 23 insertions(+)	---
CVE 2016 2512.diff \| (download)	django/contrib/auth/tests/views.py \| 8 7 + 1 - 0 ! django/utils/http.py \| 8 6 + 2 - 0 ! 2 files changed, 13 insertions(+), 3 deletions(-)	cve-2016-2512: prevented spoofing is_safe_url() with basic auth
CVE 2016 2512 regression.diff \| (download)	django/utils/http.py \| 6 5 + 1 - 0 ! tests/regressiontests/utils/http.py \| 11 11 + 0 - 0 ! 2 files changed, 16 insertions(+), 1 deletion(-)	is_safe_url() crashes with a byestring url on python 2
CVE 2016 2513.diff \| (download)	django/contrib/auth/hashers.py \| 65 63 + 2 - 0 ! django/utils/encoding.py \| 36 36 + 0 - 0 ! docs/topics/auth.txt \| 30 30 + 0 - 0 ! 3 files changed, 129 insertions(+), 2 deletions(-)	cve-2016-2513: fixed user enumeration timing attack during login

Patch	File delta	Description
02_disable sources in sphinxdoc.diff \| (download)	docs/conf.py \| 5 4 + 1 - 0 ! 1 file changed, 4 insertions(+), 1 deletion(-)	disable creation of _sources directory by sphinx We do this to save some space as the sources of the documentation are not really useful in a binary package. . This is a Debian specific patch.
03_manpage.diff \| (download)	docs/man/django-admin.1 \| 6 3 + 3 - 0 ! 1 file changed, 3 insertions(+), 3 deletions(-)	update manual page to refer to django-admin instead of django-admin.py Update the manual page to speak of django-admin instead of django-admin.py as that's the name used by the Debian package. . This is a Debian specific patch.
06_use_debian_geoip_database_as_default.diff \| (download)	django/contrib/gis/geoip/base.py \| 20 11 + 9 - 0 ! 1 file changed, 11 insertions(+), 9 deletions(-)	use debian geoip database path as default Default to Debian standard path for GeoIP directory and for GeoIP city file. Avoids the need to declare them in each project. . This is a Debian specific patch. Bug-Debian: http://bugs.debian.org/645094
is_safe_url 1.4.diff \| (download)	django/contrib/auth/tests/views.py \| 8 6 + 2 - 0 ! django/utils/http.py \| 7 4 + 3 - 0 ! 2 files changed, 10 insertions(+), 5 deletions(-)	possible xss via ``is_safe_url`` A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the ``login`` view in ``django.contrib.auth.views``, which accepts such a parameter to determine where to send a user following successful login. A utility function -- ``django.utils.http.is_safe_url()`` -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings. The ``is_safe_url()`` function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as ``javascript:``. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response. To remedy this issue, the ``is_safe_url()`` function will be modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.
uri fix.diff \| (download)	tests/modeltests/validation/tests.py \| 2 1 + 1 - 0 ! 1 file changed, 1 insertion(+), 1 deletion(-)	use name that won't resolve in tests.
ssi tag 1.4.diff \| (download)	django/template/defaulttags.py \| 2 2 + 0 - 0 ! tests/regressiontests/templates/tests.py \| 31 31 + 0 - 0 ! 2 files changed, 33 insertions(+)	directory traversal with ``ssi`` template tag Django's template language includes two methods of including and rendering one template inside another: 1. The ``{% include %}`` tag takes a template name, and uses Django's template loading mechanism (which is restricted to the directories specified in the ``TEMPLATE_DIRS`` setting, as with any other normal template load in Django). 2. The ``{% ssi %}`` tag, which takes a file path and includes that file's contents (optionally parsing and rendering it as a template). Since the ``ssi`` tag is not restricted to ``TEMPLATE_DIRS``, it represents a security risk; the setting ``ALLOWED_INCLUDE_ROOTS`` thus is required, and specifies filesystem locations from which ``ssi`` may read files. To remedy this, the ``ssi`` tag will now use Python's ``os.path.abspath`` to determine the absolute path of the file, and whether it is actually located within a directory permitted by ``ALLOWED_INCLUDE_ROOTS``.
password dos.diff \| (download)	django/contrib/auth/forms.py \| 51 37 + 14 - 0 ! django/contrib/auth/hashers.py \| 28 27 + 1 - 0 ! django/contrib/auth/tests/hashers.py \| 64 63 + 1 - 0 ! 3 files changed, 127 insertions(+), 16 deletions(-)	ensure that passwords are never long enough for a dos. * Limit the password length to 4096 bytes * Password hashers will raise a ValueError * django.contrib.auth forms will fail validation * Document in release notes that this is a backwards incompatible change Thanks to Josh Wright for the report, and Donald Stufft for the patch. Some changes were stripped from this patch since they also apply fixes to UnsaltedSHA1PasswordHasher which is not shipped in the version of Django in Debian.
password 2.5 compat.diff \| (download)	django/contrib/auth/tests/hashers.py \| 18 9 + 9 - 0 ! 1 file changed, 9 insertions(+), 9 deletions(-)	removed usage of b"" string syntax for python 2.5 compatibility.
reverse execution 1.4.x.patch \| (download)	django/core/urlresolvers.py \| 22 21 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/nonimported_module.py \| 3 3 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/tests.py \| 23 22 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 1 1 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 4 4 + 0 - 0 ! 5 files changed, 51 insertions(+), 2 deletions(-)	unexpected code execution using ``reverse()`` Django's URL handling is based on a mapping of regex patterns (representing the URLs) to callable views, and Django's own processing consists of matching a requested URL against those patterns to determine the appropriate view to invoke. Django also provides a convenience function -- ``django.core.urlresolvers.reverse()`` -- which performs this process in the opposite direction. The ``reverse()`` function takes information about a view, and returns a URL which would invoke that view. Use of ``reverse()`` is encouraged for application developers, as the output of ``reverse()`` is always based on the current URL patterns, meaning developers do not need to change other code when making changes to URLs. One argument signature for ``reverse()`` is to pass a dotted Python path to the desired view. In this situation, Django will import the module indicated by that dotted path as part of generating the rsulting URL. If such a module has import-time side effects, those side effects will occur. Thus it is possible for an attacker to cause unexpected code execution, given the following conditions: 1. One or more views are present which construct a URL based on user input (commonly, a "next" parameter in a querystring indicating where to redirect upon successful completion of an action). 2. One or more modules known to an attacker to exist on the server's Python import path, which perform code execution with side effects on importing. To remedy this, ``reverse()`` will now only accept and import dotted paths based on the view-containing modules listed in the project's URL pattern configuration, so as to ensure that only modules the developer intended to be imported in this fashion can or will be imported.
cache csrf 1.4.x.patch \| (download)	django/middleware/cache.py \| 10 9 + 1 - 0 ! tests/regressiontests/cache/tests.py \| 27 27 + 0 - 0 ! 2 files changed, 36 insertions(+), 1 deletion(-)	prevent leaking the csrf token through caching. Django includes both a caching framework and a system for preventing cross-site request forgery (CSRF) attacks. The CSRF-protection system is based on a random nonce sent to the client in a cookie which must be sent by the client on future requests, and in forms a hidden value which must be submitted back with the form. The caching framework includes an option to cache responses to anonymous (i.e., unauthenticated) clients. When the first anonymous request to a given page was by a client which did not have a CSRF cookie, the cache framework will also cache the CSRF cookie, and serve the same nonce to other anonymous clients who do not have a CSRF cookie. This allows an attacker to obtain a valid CSRF cookie value and perform attacks which bypass the check for the cookie. To remedy this, the caching framework will no longer cache such responses. The heuristic for this will be: 1. If the incoming request did not submit any cookies, and 2. The response did send one or more cookies, and 3. The ``Vary: Cookie`` header is set on the response, then the response will not be cached.
mysql typecast 1.4.x.diff \| (download)	django/db/models/fields/__init__.py \| 16 15 + 1 - 0 ! docs/howto/custom-model-fields.txt \| 10 10 + 0 - 0 ! docs/ref/databases.txt \| 16 16 + 0 - 0 ! docs/ref/models/querysets.txt \| 10 10 + 0 - 0 ! docs/topics/db/sql.txt \| 10 10 + 0 - 0 ! tests/regressiontests/model_fields/tests.py \| 94 93 + 1 - 0 ! 6 files changed, 154 insertions(+), 2 deletions(-)	mysql typecasting protection The MySQL database is known to "typecast" on certain queries; for example, when querying a table which contains string values, but using a query which filters based on an integer value, MySQL will first silently coerce the strings to integers, and return a result based on that. Django's model field classes are aware of their own types, and most such classes perform explicit conversion of query arguments to the correct database-level type before querying. However, three model field classes did not correctly convert their arguments: * ``FilePathField`` * ``GenericIPAddressField`` * ``IPAddressField`` These three fields have been updated to convert their arguments to the correct types before querying. Additionally, developers of custom model fields are now warned via documentation to ensure their custom field classes will perform appropriate type conversions, and users of the ``raw()`` and ``extra()`` query methods -- which allow the developer to supply raw SQL or SQL fragments -- will be advised to ensure they perform appropriate manual type conversions prior to executing queries.
2601.patch \| (download)	django/core/urlresolvers.py \| 4 4 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 6 5 + 1 - 0 ! tests/regressiontests/urlpatterns_reverse/views.py \| 10 10 + 0 - 0 ! 3 files changed, 19 insertions(+), 1 deletion(-)	fixed #22486: reverse raises attributeerror on partial functions. Create the lookup_str from the original function whenever a partial is provided as an argument to a url pattern.
is_safe_url_1_4.diff \| (download)	django/contrib/auth/tests/views.py \| 12 8 + 4 - 0 ! django/utils/http.py \| 12 12 + 0 - 0 ! tests/regressiontests/utils/http.py \| 30 30 + 0 - 0 ! 3 files changed, 50 insertions(+), 4 deletions(-)	malformed urls from user input incorrectly validated (cve-2014-3730) The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. The security checks for these redirects (namely ``django.util.http.is_safe_url()``) did not correctly validate some malformed URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers with more liberal URL parsing. To remedy this, the validation in ``is_safe_url()`` has been tightened to be able to handle and correctly validate these malformed URLs.
drop_fix_ie_for_vary_1_4.diff \| (download)	django/core/handlers/base.py \| 2 0 + 2 - 0 ! django/http/utils.py \| 54 0 + 54 - 0 ! tests/regressiontests/utils/http.py \| 44 0 + 44 - 0 ! 3 files changed, 100 deletions(-)	caches may be allowed to store and serve private data (cve-2014-1418) In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests
FTBFS exception in servers tests tear down.patch \| (download)	tests/regressiontests/servers/tests.py \| 2 2 + 0 - 0 ! 1 file changed, 2 insertions(+)	fix exception in servers tests tear down
admin data leak 1.4.diff \| (download)	django/contrib/admin/exceptions.py \| 6 6 + 0 - 0 ! django/contrib/admin/options.py \| 18 18 + 0 - 0 ! django/contrib/admin/views/main.py \| 6 5 + 1 - 0 ! tests/regressiontests/admin_views/tests.py \| 21 17 + 4 - 0 ! 4 files changed, 46 insertions(+), 5 deletions(-)	---
file upload 1.4.diff \| (download)	django/core/files/storage.py \| 11 5 + 6 - 0 ! django/utils/six.py \| 9 9 + 0 - 0 ! docs/howto/custom-file-storage.txt \| 12 10 + 2 - 0 ! docs/ref/files/storage.txt \| 16 13 + 3 - 0 ! tests/modeltests/files/tests.py \| 21 13 + 8 - 0 ! tests/regressiontests/file_storage/tests.py \| 23 14 + 9 - 0 ! 6 files changed, 64 insertions(+), 28 deletions(-)	---
remote user 1.4.diff \| (download)	django/contrib/auth/middleware.py \| 28 25 + 3 - 0 ! django/contrib/auth/tests/remote_user.py \| 18 18 + 0 - 0 ! 2 files changed, 43 insertions(+), 3 deletions(-)	---
reverse 1.4.diff \| (download)	django/core/urlresolvers.py \| 2 2 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/tests.py \| 3 3 + 0 - 0 ! tests/regressiontests/urlpatterns_reverse/urls.py \| 3 3 + 0 - 0 ! 3 files changed, 8 insertions(+)	---
CVE 2015 0219.diff \| (download)	django/core/servers/basehttp.py \| 11 11 + 0 - 0 ! tests/regressiontests/servers/servers/test_basehttp.py \| 67 67 + 0 - 0 ! 2 files changed, 78 insertions(+)	---
CVE 2015 0219 fix.diff \| (download)	django/core/servers/basehttp.py \| 33 0 + 33 - 0 ! tests/regressiontests/servers/servers/test_basehttp.py \| 67 0 + 67 - 0 ! tests/regressiontests/servers/tests.py \| 67 66 + 1 - 0 ! 3 files changed, 66 insertions(+), 101 deletions(-)	[patch] [1.4.x] fixed #24238 -- removed unused WSGIRequestHandler.get_environ() Also moved the test as it wasn't running.
CVE 2015 0220.diff \| (download)	django/utils/http.py \| 1 1 + 0 - 0 ! tests/regressiontests/utils/http.py \| 7 4 + 3 - 0 ! 2 files changed, 5 insertions(+), 3 deletions(-)	---
CVE 2015 0221.diff \| (download)	django/views/static.py \| 7 5 + 2 - 0 ! tests/regressiontests/views/media/long-line.txt \| 1 1 + 0 - 0 ! tests/regressiontests/views/tests/static.py \| 26 18 + 8 - 0 ! 3 files changed, 24 insertions(+), 10 deletions(-)	---
CVE 2015 0221 regression fix.diff \| (download)	django/middleware/gzip.py \| 25 17 + 8 - 0 ! django/utils/text.py \| 33 33 + 0 - 0 ! tests/regressiontests/middleware/tests.py \| 13 13 + 0 - 0 ! 3 files changed, 63 insertions(+), 8 deletions(-)	---
CVE 2015 2317.diff \| (download)	django/utils/http.py \| 9 8 + 1 - 0 ! tests/regressiontests/utils/http.py \| 4 3 + 1 - 0 ! 2 files changed, 11 insertions(+), 2 deletions(-)	[patch] [1.4.x] made is_safe_url() reject urls that start with control characters. This is a security fix; disclosure to follow shortly.
session 1.4.x.diff \| (download)	django/contrib/sessions/backends/cache.py \| 6 4 + 2 - 0 ! django/contrib/sessions/backends/cached_db.py \| 5 3 + 2 - 0 ! django/contrib/sessions/backends/db.py \| 5 3 + 2 - 0 ! django/contrib/sessions/backends/file.py \| 7 4 + 3 - 0 ! django/contrib/sessions/tests.py \| 19 19 + 0 - 0 ! 5 files changed, 33 insertions(+), 9 deletions(-)	---
newlines 1.4.x.diff \| (download)	django/core/validators.py \| 26 15 + 11 - 0 ! tests/modeltests/validators/tests.py \| 16 15 + 1 - 0 ! 2 files changed, 30 insertions(+), 12 deletions(-)	---
session store 1.4.x.diff \| (download)	django/contrib/sessions/backends/base.py \| 9 8 + 1 - 0 ! django/contrib/sessions/backends/cached_db.py \| 2 1 + 1 - 0 ! django/contrib/sessions/middleware.py \| 46 27 + 19 - 0 ! django/contrib/sessions/tests.py \| 70 70 + 0 - 0 ! docs/topics/http/sessions.txt \| 13 9 + 4 - 0 ! 5 files changed, 115 insertions(+), 25 deletions(-)	---
date leak 1.4.x.diff \| (download)	django/utils/formats.py \| 20 20 + 0 - 0 ! tests/regressiontests/i18n/tests.py \| 3 3 + 0 - 0 ! 2 files changed, 23 insertions(+)	---
CVE 2016 2512.diff \| (download)	django/contrib/auth/tests/views.py \| 8 7 + 1 - 0 ! django/utils/http.py \| 8 6 + 2 - 0 ! 2 files changed, 13 insertions(+), 3 deletions(-)	cve-2016-2512: prevented spoofing is_safe_url() with basic auth
CVE 2016 2512 regression.diff \| (download)	django/utils/http.py \| 6 5 + 1 - 0 ! tests/regressiontests/utils/http.py \| 11 11 + 0 - 0 ! 2 files changed, 16 insertions(+), 1 deletion(-)	is_safe_url() crashes with a byestring url on python 2
CVE 2016 2513.diff \| (download)	django/contrib/auth/hashers.py \| 65 63 + 2 - 0 ! django/utils/encoding.py \| 36 36 + 0 - 0 ! docs/topics/auth.txt \| 30 30 + 0 - 0 ! 3 files changed, 129 insertions(+), 2 deletions(-)	cve-2016-2513: fixed user enumeration timing attack during login