Unexpected code execution using ``reverse()``

Bug #1309779 reported by Luke Faraone on 2014-04-18
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

Django's URL handling is based on a mapping of regex patterns
(representing the URLs) to callable views, and Django's own processing
consists of matching a requested URL against those patterns to
determine the appropriate view to invoke.

Django also provides a convenience function --
``django.core.urlresolvers.reverse()`` -- which performs this process
in the opposite direction. The ``reverse()`` function takes
information about a view, and returns a URL which would invoke that
view. Use of ``reverse()`` is encouraged for application developers,
as the output of ``reverse()`` is always based on the current URL
patterns, meaning developers do not need to change other code when
making changes to URLs.

One argument signature for ``reverse()`` is to pass a dotted Python
path to the desired view. In this situation, Django will import the
module indicated by that dotted path as part of generating the
rsulting URL. If such a module has import-time side effects, those
side effects will occur.

Thus it is possible for an attacker to cause unexpected code
execution, given the following conditions:

1. One or more views are present which construct a URL based on user
   input (commonly, a "next" parameter in a querystring indicating
   where to redirect upon successful completion of an action).

2. One or more modules known to an attacker to exist on the server's
   Python import path, which perform code execution with side effects
   on importing.

To remedy this, ``reverse()`` will now only accept and import dotted
paths based on the view-containing modules listed in the project's URL
pattern configuration, so as to ensure that only modules the developer
intended to be imported in this fashion can or will be imported.

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.10

---------------
python-django (1.1.1-2ubuntu1.10) lucid-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, backport has_vary_header() to
      django/utils/cache.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 11:21:00 -0400

Changed in python-django (Ubuntu Lucid):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.6.1-2ubuntu0.1

---------------
python-django (1.6.1-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/urlpatterns_reverse/nonimported_module.py,
      tests/urlpatterns_reverse/tests.py,
      tests/urlpatterns_reverse/urls.py,
      tests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 08:50:48 -0400

Changed in python-django (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.9

---------------
python-django (1.3.1-4ubuntu1.9) precise-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:27:04 -0400

Changed in python-django (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.5

---------------
python-django (1.4.1-2ubuntu0.5) quantal-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/regressiontests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
  * debian/patches/fix_test_ftbfs.patch: fix ftbfs with upstream commit.
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:12:33 -0400

Changed in python-django (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.5.4-1ubuntu1.1

---------------
python-django (1.5.4-1ubuntu1.1) saucy-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/regressiontests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:06:51 -0400

Changed in python-django (Ubuntu Saucy):
status: New → Fix Released

I think this introduced a serious regression, please see bug 1311433

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers