Bug#874415: Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Chris Lamb]

Hi Salvatore,

> Thanks! Looks good to me, please go ahead with the upload to
> security-master.

Uploaded. :)


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Salvatore Bonaccorso]

Hi Chris,

On Fri, Aug 03, 2018 at 07:24:20AM +0100, Chris Lamb wrote:
> [adding 874...@bugs.debian.org to CC]
> 
> Hi Salvatore,
> 
> > > > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > > > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > > > can include this fix as well.
> > > 
> > > That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
> > > another debdiff?
> > 
> > Yes please.
> 
> Full diff attached. Please let me know if this is okay to upload.

Thanks! Looks good to me, please go ahead with the upload to
security-master.

Regards,
Salvatore

Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Chris Lamb]

[adding 874...@bugs.debian.org to CC]

Hi Salvatore,

> > > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > > can include this fix as well.
> > 
> > That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
> > another debdiff?
> 
> Yes please.

Full diff attached. Please let me know if this is okay to upload.

  Source: python-django
  Version: 1:1.10.7-2+deb9u2
  Distribution: stretch-security
  Urgency: high
  Maintainer: Chris Lamb 
  Timestamp: 1533177448
  Date: Thu, 02 Aug 2018 10:37:28 +0800
  Closes: 874415 905216
  Changes:
   python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
   .
 * Non-maintainer upload by the Security Team.
 * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
   If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
   setting were both enabled, and if the project has a URL pattern that
   accepted any path ending in a slash then a request to a maliciously 
crafted
   URL of that site could lead to a redirect to another site, enabling
   phishing and other attacks. (Closes: #905216)
 * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 
500
   page. This vulnerability did not affect production sites as they 
typically
   do not run with "DEBUG = True". (Closes: #874415)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/debian/changelog b/debian/changelog
index 472d500fb..e77a81a21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
+If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
+setting were both enabled, and if the project has a URL pattern that
+accepted any path ending in a slash then a request to a maliciously crafted
+URL of that site could lead to a redirect to another site, enabling
+phishing and other attacks. (Closes: #905216)
+  * CVE-2017-12794: Fix a cross-site scripting attack in the technical HTTP 500
+page. This vulnerability did not affect production sites as they typically
+do not run with "DEBUG = True". (Closes: #874415)
+
+ -- Chris Lamb   Thu, 02 Aug 2018 10:37:28 +0800
+
 python-django (1:1.10.7-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the LTS Team.
diff --git a/debian/patches/0015-CVE-2018-14574.patch 
b/debian/patches/0015-CVE-2018-14574.patch
new file mode 100644
index 0..c8bf439e9
--- /dev/null
+++ b/debian/patches/0015-CVE-2018-14574.patch
@@ -0,0 +1,153 @@
+From: Chris Lamb 
+Date: Thu, 2 Aug 2018 10:28:56 +0800
+Subject: CVE-2018-14574
+
+Open redirect possibility in CommonMiddleware
+
+If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting
+are both enabled, and if the project has a URL pattern that accepts any path
+ending in a slash (many content management systems have such a pattern), then a
+request to a maliciously crafted URL of that site could lead to a redirect to
+another site, enabling phishing and other attacks.
+
+Thanks Andreas Hug for reporting this issue.
+
+ -- 
+
+Backported by Chris Lamb  from:
+
+  
https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff
+---
+ django/middleware/common.py|  3 +++
+ django/urls/resolvers.py   |  8 
+ django/utils/http.py   | 11 +++
+ tests/middleware/tests.py  | 19 +++
+ tests/middleware/urls.py   |  2 ++
+ tests/utils_tests/test_http.py | 10 ++
+ 6 files changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/django/middleware/common.py b/django/middleware/common.py
+index 4cec6f0..4ac5e01 100644
+--- a/django/middleware/common.py
 b/django/middleware/common.py
+@@ -9,6 +9,7 @@ from django.urls import is_valid_path
+ from django.utils.cache import get_conditional_response, set_response_etag
+ from django.utils.deprecation import MiddlewareMixin
+ from django.utils.encoding import force_text
++from django.utils.http import escape_leading_slashes
+ from django.utils.http import unquote_etag
+ from django.utils.six.moves.urllib.parse import urlparse
+ 
+@@ -90,6 +91,8 @@ class CommonMiddleware(MiddlewareMixin):
+ POST, PUT, or PATCH.
+ """
+ new_path = request.get_full_path(force_append_slash=True)
++# Prevent construction of scheme relative urls.
++new_path = escape_leading_slashes(new_path)
+ if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'):
+ raise RuntimeError(
+ "You called this URL via %(method)s, but the URL 

Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Salvatore Bonaccorso]

Hi Chris,

On Thu, Aug 02, 2018 at 06:42:59AM +0100, Chris Lamb wrote:
> Hi Salvatore,
> 
> > > I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> > > update for Django:
> […]
> > The debdiff looks good so far, were you able to test the resulting
> > package
> 
> I believe that is covered in-depth by the additional tests I also
> backported (which passes here). The package installs fine for me too I
> did not alter any of my in-*production* sites to *specifically* test
> pre/post application of the APPEND_SLASH handling.

Ack thanks.

> > There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> > relevant when "DEBUG = true". But as we do an update now via a DSA, we
> > can include this fix as well.
> 
> That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
> another debdiff?

Yes please.

Thanks and regards,
Salvatore

Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Chris Lamb]

Hi Salvatore,

> > I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> > update for Django:
[…]
> The debdiff looks good so far, were you able to test the resulting
> package

I believe that is covered in-depth by the additional tests I also
backported (which passes here). The package installs fine for me too I
did not alter any of my in-*production* sites to *specifically* test
pre/post application of the APPEND_SLASH handling.

> There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
> relevant when "DEBUG = true". But as we do an update now via a DSA, we
> can include this fix as well.

That makes sense. Shall I go ahead and add this CVE-2017-12794 and send
another debdiff?


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Salvatore Bonaccorso]

Hi Chris,

On Thu, Aug 02, 2018 at 03:42:41AM +0100, Chris Lamb wrote:
> Hi security team,
> 
> > python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware
> 
> I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
> update for Django:
> 
>   Source: python-django
>   Version: 1:1.10.7-2+deb9u2
>   Distribution: stretch-security
>   Urgency: high
>   Maintainer: Chris Lamb 
>   Timestamp: 1533177448
>   Date: Thu, 02 Aug 2018 10:37:28 +0800
>   Closes: 905216
>   Changes:
>python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
>.
>  * Non-maintainer upload by the Security Team.
>  * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
>If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
>setting were both enabled, and if the project has a URL pattern that
>accepted any path ending in a slash then a request to a maliciously 
> crafted
>URL of that site could lead to a redirect to another site, enabling
>phishing and other attacks. (Closes: #905216)
> 
>
> Let me know if I should go ahead and upload.

Thanks for preparing an update.

The debdiff looks good so far, were you able to test the resulting
package (in particular as well for the given case using
CommonMiddleware and APPEND_SLASH setting enabled)?

There is as well a no-dsa tagged entry (CVE-2017-12794), which is only
relevant when "DEBUG = true". But as we do an update now via a DSA, we
can include this fix as well.

Regards,
Salvatore

Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Chris Lamb]

Hi security team,

> python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

I've attached the following diff for a proposed 1:1.10.7-2+deb9u2
update for Django:

  Source: python-django
  Version: 1:1.10.7-2+deb9u2
  Distribution: stretch-security
  Urgency: high
  Maintainer: Chris Lamb 
  Timestamp: 1533177448
  Date: Thu, 02 Aug 2018 10:37:28 +0800
  Closes: 905216
  Changes:
   python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
   .
 * Non-maintainer upload by the Security Team.
 * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
   If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
   setting were both enabled, and if the project has a URL pattern that
   accepted any path ending in a slash then a request to a maliciously 
crafted
   URL of that site could lead to a redirect to another site, enabling
   phishing and other attacks. (Closes: #905216)

   
Let me know if I should go ahead and upload.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diff --git a/debian/changelog b/debian/changelog
index 472d500fb..ace826d6c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+python-django (1:1.10.7-2+deb9u2) stretch-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2018-14574: Fix an open redirect possibility in CommonMiddleware.
+If the django.middleware.common.CommonMiddleware and the APPEND_SLASH
+setting were both enabled, and if the project has a URL pattern that
+accepted any path ending in a slash then a request to a maliciously crafted
+URL of that site could lead to a redirect to another site, enabling
+phishing and other attacks. (Closes: #905216)
+
+ -- Chris Lamb   Thu, 02 Aug 2018 10:37:28 +0800
+
 python-django (1:1.10.7-2+deb9u1) stretch-security; urgency=high
 
   * Non-maintainer upload by the LTS Team.
diff --git a/debian/patches/0015-CVE-2018-14574.patch 
b/debian/patches/0015-CVE-2018-14574.patch
new file mode 100644
index 0..c8bf439e9
--- /dev/null
+++ b/debian/patches/0015-CVE-2018-14574.patch
@@ -0,0 +1,153 @@
+From: Chris Lamb 
+Date: Thu, 2 Aug 2018 10:28:56 +0800
+Subject: CVE-2018-14574
+
+Open redirect possibility in CommonMiddleware
+
+If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting
+are both enabled, and if the project has a URL pattern that accepts any path
+ending in a slash (many content management systems have such a pattern), then a
+request to a maliciously crafted URL of that site could lead to a redirect to
+another site, enabling phishing and other attacks.
+
+Thanks Andreas Hug for reporting this issue.
+
+ -- 
+
+Backported by Chris Lamb  from:
+
+  
https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff
+---
+ django/middleware/common.py|  3 +++
+ django/urls/resolvers.py   |  8 
+ django/utils/http.py   | 11 +++
+ tests/middleware/tests.py  | 19 +++
+ tests/middleware/urls.py   |  2 ++
+ tests/utils_tests/test_http.py | 10 ++
+ 6 files changed, 49 insertions(+), 4 deletions(-)
+
+diff --git a/django/middleware/common.py b/django/middleware/common.py
+index 4cec6f0..4ac5e01 100644
+--- a/django/middleware/common.py
 b/django/middleware/common.py
+@@ -9,6 +9,7 @@ from django.urls import is_valid_path
+ from django.utils.cache import get_conditional_response, set_response_etag
+ from django.utils.deprecation import MiddlewareMixin
+ from django.utils.encoding import force_text
++from django.utils.http import escape_leading_slashes
+ from django.utils.http import unquote_etag
+ from django.utils.six.moves.urllib.parse import urlparse
+ 
+@@ -90,6 +91,8 @@ class CommonMiddleware(MiddlewareMixin):
+ POST, PUT, or PATCH.
+ """
+ new_path = request.get_full_path(force_append_slash=True)
++# Prevent construction of scheme relative urls.
++new_path = escape_leading_slashes(new_path)
+ if settings.DEBUG and request.method in ('POST', 'PUT', 'PATCH'):
+ raise RuntimeError(
+ "You called this URL via %(method)s, but the URL doesn't end "
+diff --git a/django/urls/resolvers.py b/django/urls/resolvers.py
+index cec960d..da82d56 100644
+--- a/django/urls/resolvers.py
 b/django/urls/resolvers.py
+@@ -18,7 +18,9 @@ from django.utils import lru_cache, six
+ from django.utils.datastructures import MultiValueDict
+ from django.utils.encoding import force_str, force_text
+ from django.utils.functional import cached_property
+-from django.utils.http import RFC3986_SUBDELIMS, urlquote
++from django.utils.http import (
++RFC3986_SUBDELIMS, escape_leading_slashes, urlquote,
++)
+ from django.utils.regex_helper import normalize
+ from django.utils.translation 

Bug#905216: python-django: CVE-2018-14574: Open redirect possibility in CommonMiddleware

[Salvatore Bonaccorso]

Message-ID: <153313528104.8270.16608958406899848082.reportbug@eldamar.local>
X-Mailer: reportbug 7.5.0
Date: Wed, 01 Aug 2018 16:54:41 +0200
Delivered-To: sub...@bugs.debian.org
X-Debian-Message: from BTS
X-Mailing-List:  archive/latest/1476425
X-Loop: debian-bugs-dist@lists.debian.org
List-Id: 
List-URL: 
List-Post: 
List-Help: 
List-Subscribe: 

List-Unsubscribe: 

Precedence: list
Resent-Sender: debian-bugs-dist-requ...@lists.debian.org
X-MXTHUNDER-Identifier:  
<153313528104.8270.16608958406899848082.reportbug@eldamar.local>
X-MXTHUNDER-IP-Rating:  0, 82.195.75.100, Ugly c=0.318533 p=-0.181818 Source 
Normal
X-MXTHUNDER-Scan-Result:  100
X-MXTHUNDER-Rules: 
100-75201-4102-4121-m
100-75201-0-5556-f
X-MXTHUNDER-Group:  Bulk Mail

Source: python-django
Version: 1:1.11.14-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for python-django.

CVE-2018-14574[0]:
Open redirect possibility in CommonMiddleware

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14574
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14574
[1] https://www.djangoproject.com/weblog/2018/aug/01/security-releases/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore