Unexpected code execution using ``reverse()``
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-django (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Saucy |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Django's URL handling is based on a mapping of regex patterns
(representing the URLs) to callable views, and Django's own processing
consists of matching a requested URL against those patterns to
determine the appropriate view to invoke.
Django also provides a convenience function --
``django.
in the opposite direction. The ``reverse()`` function takes
information about a view, and returns a URL which would invoke that
view. Use of ``reverse()`` is encouraged for application developers,
as the output of ``reverse()`` is always based on the current URL
patterns, meaning developers do not need to change other code when
making changes to URLs.
One argument signature for ``reverse()`` is to pass a dotted Python
path to the desired view. In this situation, Django will import the
module indicated by that dotted path as part of generating the
rsulting URL. If such a module has import-time side effects, those
side effects will occur.
Thus it is possible for an attacker to cause unexpected code
execution, given the following conditions:
1. One or more views are present which construct a URL based on user
input (commonly, a "next" parameter in a querystring indicating
where to redirect upon successful completion of an action).
2. One or more modules known to an attacker to exist on the server's
Python import path, which perform code execution with side effects
on importing.
To remedy this, ``reverse()`` will now only accept and import dotted
paths based on the view-containing modules listed in the project's URL
pattern configuration, so as to ensure that only modules the developer
intended to be imported in this fashion can or will be imported.
CVE References
information type: | Private Security → Public Security |
This bug was fixed in the package python-django - 1.1.1-2ubuntu1.10
---------------
python-django (1.1.1-2ubuntu1.10) lucid-security; urgency=medium
* SECURITY UPDATE: unexpected code execution using reverse() patches/ CVE-2014- 0472.patch: added filtering to core/urlresolve rs.py, added tests to regressiontests /urlpatterns_ reverse/ nonimported_ module. py, regressiontests /urlpatterns_ reverse/ tests.py, regressiontests /urlpatterns_ reverse/ urls.py, regressiontests /urlpatterns_ reverse/ views.py. patches/ CVE-2014- 0473.patch: don't cache responses with a middleware/ cache.py, backport has_vary_header() to utils/cache. py. patches/ CVE-2014- 0474.patch: convert arguments to correct db/models/ fields/ __init_ _.py, added tests to regressiontests /model_ fields/ tests.py.
(LP: #1309779)
- debian/
django/
tests/
tests/
tests/
tests/
- CVE-2014-0472
* SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
(LP: #1309782)
- debian/
cookie in django/
django/
- CVE-2014-0473
* SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
- debian/
type in django/
tests/
- CVE-2014-0474
-- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 11:21:00 -0400