Caching of anonymous pages could reveal CSRF token

Bug #1309782 reported by Luke Faraone on 2014-04-18
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Undecided
Unassigned
Lucid
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Saucy
Undecided
Unassigned
Trusty
Undecided
Unassigned

Bug Description

Django includes both a caching framework and a system for preventing
cross-site request forgery (CSRF) attacks. The CSRF-protection system
is based on a random nonce sent to the client in a cookie which must
be sent by the client on future requests, and in forms a hidden value
which must be submitted back with the form.

The caching framework includes an option to cache responses to
anonymous (i.e., unauthenticated) clients.

When the first anonymous request to a given page was by a client which
did not have a CSRF cookie, the cache framework will also cache the
CSRF cookie, and serve the same nonce to other anonymous clients who
do not have a CSRF cookie. This allows an attacker to obtain a valid
CSRF cookie value and perform attacks which bypass the check for the
cookie.

To remedy this, the caching framework will no longer cache such
responses. The heuristic for this will be:

1. If the incoming request did not submit any cookies, and

2. The response did send one or more cookies, and

3. The ``Vary: Cookie`` header is set on the response, then the
   response will not be cached.

information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.10

---------------
python-django (1.1.1-2ubuntu1.10) lucid-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, backport has_vary_header() to
      django/utils/cache.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 11:21:00 -0400

Changed in python-django (Ubuntu Lucid):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.6.1-2ubuntu0.1

---------------
python-django (1.6.1-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/urlpatterns_reverse/nonimported_module.py,
      tests/urlpatterns_reverse/tests.py,
      tests/urlpatterns_reverse/urls.py,
      tests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 08:50:48 -0400

Changed in python-django (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.9

---------------
python-django (1.3.1-4ubuntu1.9) precise-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:27:04 -0400

Changed in python-django (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.5

---------------
python-django (1.4.1-2ubuntu0.5) quantal-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/regressiontests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
  * debian/patches/fix_test_ftbfs.patch: fix ftbfs with upstream commit.
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:12:33 -0400

Changed in python-django (Ubuntu Quantal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.5.4-1ubuntu1.1

---------------
python-django (1.5.4-1ubuntu1.1) saucy-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/regressiontests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:06:51 -0400

Changed in python-django (Ubuntu Saucy):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers