cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- update py-django to 1.2.5

Browse Source 
from ryan boggs (MAINTAINER)
This commit is contained in:
jasper 2011-03-10 09:29:10 +00:00
parent 9023c387fe
commit 27ef93b489
10 changed files with 10 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
www/py-django/Makefile
View File

@ -1,13 +1,12 @@
# $OpenBSD: Makefile,v 1.15 2011/02/11 11:45:48 jasper Exp $
# $OpenBSD: Makefile,v 1.16 2011/03/10 09:29:10 jasper Exp $
COMMENT = high-level Python web framework
MODPY_EGG_VERSION = 1.2.4
MODPY_EGG_VERSION = 1.2.5
LNAME = django
DISTNAME = Django-${MODPY_EGG_VERSION}
PKGNAME = py-${LNAME}-${MODPY_EGG_VERSION}
CATEGORIES = www
REVISION = 0
HOMEPAGE = http://www.djangoproject.com/

10
www/py-django/distinfo
View File

@ -1,5 +1,5 @@
MD5 (Django-1.2.4.tar.gz) = sOZ9PWRH9+sc5jkrlGWhgw==
RMD160 (Django-1.2.4.tar.gz) = 4oM4qC1mLfmZpopEc+12vQDJdPw=
SHA1 (Django-1.2.4.tar.gz) = 2DR6kGJATeSeL0dObpk5U2HzTbg=
SHA256 (Django-1.2.4.tar.gz) = DwbMzUypIXO5WN2A7f81A1iI8VVUvkJeXW1Vx/lKg4E=
SIZE (Django-1.2.4.tar.gz) = 6357270
MD5 (Django-1.2.5.tar.gz) = 4DHqPQCZYDXknkv6huB8QA==
RMD160 (Django-1.2.5.tar.gz) = 5X9IMxN3BHdjh1h25Rx1T5H1j4A=
SHA1 (Django-1.2.5.tar.gz) = lZPmdFZQ0GwK+Cp51uME2VhBn5Q=
SHA256 (Django-1.2.5.tar.gz) = ZJOHJIKWOGtYnEqL+R00WQtD+Ttuv+bO++oN30ZBzNY=
SIZE (Django-1.2.5.tar.gz) = 6379313

18
www/py-django/patches/patch-django_contrib_admin_widgets_py
View File

@ -1,18 +0,0 @@
$OpenBSD: patch-django_contrib_admin_widgets_py,v 1.1 2011/02/11 11:45:48 jasper Exp $
Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Patch from upstream svn -r15471.
--- django/contrib/admin/widgets.py.orig Thu Sep 30 19:40:25 2010
+++ django/contrib/admin/widgets.py Thu Feb 10 09:53:29 2011
@@ -96,7 +96,7 @@ class AdminFileWidget(forms.FileInput):
output = []
if value and hasattr(value, "url"):
output.append('%s <a target="_blank" href="%s">%s</a> <br />%s ' % \
- (_('Currently:'), value.url, value, _('Change:')))
+ (_('Currently:'), escape(value.url), escape(value), _('Change:')))
output.append(super(AdminFileWidget, self).render(name, value, attrs))
return mark_safe(u''.join(output))

30
www/py-django/patches/patch-django_contrib_sessions_backends_file_py
View File

@ -1,30 +0,0 @@
$OpenBSD: patch-django_contrib_sessions_backends_file_py,v 1.1 2011/02/11 11:45:48 jasper Exp $
Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Patch from upstream svn -r15468.
--- django/contrib/sessions/backends/file.py.orig Mon Sep 1 13:25:16 2008
+++ django/contrib/sessions/backends/file.py Thu Feb 10 09:59:08 2011
@@ -25,6 +25,8 @@ class SessionStore(SessionBase):
self.file_prefix = settings.SESSION_COOKIE_NAME
super(SessionStore, self).__init__(session_key)
+
+ VALID_KEY_CHARS = set("abcdef0123456789")
def _key_to_file(self, session_key=None):
"""
@@ -36,9 +38,9 @@ class SessionStore(SessionBase):
# Make sure we're not vulnerable to directory traversal. Session keys
# should always be md5s, so they should never contain directory
# components.
- if os.path.sep in session_key:
+ if not set(session_key).issubset(self.VALID_KEY_CHARS):
raise SuspiciousOperation(
- "Invalid characters (directory components) in session key")
+ "Invalid characters in session key")
return os.path.join(self.storage_path, self.file_prefix + session_key)

27
www/py-django/patches/patch-django_contrib_sessions_tests_py
View File

@ -1,27 +0,0 @@
$OpenBSD: patch-django_contrib_sessions_tests_py,v 1.1 2011/02/11 11:45:48 jasper Exp $
Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Patch from upstream svn -r15468.
--- django/contrib/sessions/tests.py.orig Sat Feb 28 23:32:41 2009
+++ django/contrib/sessions/tests.py Thu Feb 10 09:58:06 2011
@@ -129,6 +129,17 @@ True
>>> file_session = FileSession(file_session.session_key)
>>> file_session.save()
+# Ensure we don't allow directory traversal
+>>> FileSession("a/b/c").load()
+Traceback (innermost last):
+ ...
+SuspiciousOperation: Invalid characters in session key
+
+>>> FileSession("a\\b\\c").load()
+Traceback (innermost last):
+ ...
+SuspiciousOperation: Invalid characters in session key
+
# Make sure the file backend checks for a good storage dir
>>> settings.SESSION_FILE_PATH = "/if/this/directory/exists/you/have/a/weird/computer"
>>> FileSession()

54
www/py-django/patches/patch-django_middleware_csrf_py
View File

@ -1,54 +0,0 @@
$OpenBSD: patch-django_middleware_csrf_py,v 1.1 2011/02/11 11:45:48 jasper Exp $
Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Patch from upstream svn -r15465.
--- django/middleware/csrf.py.orig Thu Oct 28 04:58:51 2010
+++ django/middleware/csrf.py Thu Feb 10 09:51:46 2011
@@ -130,31 +130,6 @@ class CsrfViewMiddleware(object):
# any branches that call reject()
return self._accept(request)
- if request.is_ajax():
- # .is_ajax() is based on the presence of X-Requested-With. In
- # the context of a browser, this can only be sent if using
- # XmlHttpRequest. Browsers implement careful policies for
- # XmlHttpRequest:
- #
- # * Normally, only same-domain requests are allowed.
- #
- # * Some browsers (e.g. Firefox 3.5 and later) relax this
- # carefully:
- #
- # * if it is a 'simple' GET or POST request (which can
- # include no custom headers), it is allowed to be cross
- # domain. These requests will not be recognized as AJAX.
- #
- # * if a 'preflight' check with the server confirms that the
- # server is expecting and allows the request, cross domain
- # requests even with custom headers are allowed. These
- # requests will be recognized as AJAX, but can only get
- # through when the developer has specifically opted in to
- # allowing the cross-domain POST request.
- #
- # So in all cases, it is safe to allow these requests through.
- return self._accept(request)
-
if request.is_secure():
# Strict referer checking for HTTPS
referer = request.META.get('HTTP_REFERER')
@@ -185,7 +160,11 @@ class CsrfViewMiddleware(object):
csrf_token = request.META["CSRF_COOKIE"]
# check incoming token
- request_csrf_token = request.POST.get('csrfmiddlewaretoken', None)
+ request_csrf_token = request.POST.get('csrfmiddlewaretoken', "")
+ if request_csrf_token == "":
+ # Fall back to X-CSRFToken, to make things easier for AJAX
+ request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '')
+
if request_csrf_token != csrf_token:
if cookie_is_new:
# probably a problem setting the CSRF cookie

93
www/py-django/patches/patch-docs_ref_contrib_csrf_txt
View File

@ -1,93 +0,0 @@
$OpenBSD: patch-docs_ref_contrib_csrf_txt,v 1.1 2011/02/11 11:45:48 jasper Exp $
Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Patch from upstream svn -r15465.
--- docs/ref/contrib/csrf.txt.orig Fri Aug 27 06:58:36 2010
+++ docs/ref/contrib/csrf.txt Thu Feb 10 09:47:15 2011
@@ -81,6 +81,47 @@ The utility script ``extras/csrf_migration_helper.py``
finding of code and templates that may need to be upgraded. It contains full
help on how to use it.
+AJAX
+----
+
+While the above method can be used for AJAX POST requests, it has some
+inconveniences: you have to remember to pass the CSRF token in as POST data with
+every POST request. For this reason, there is an alternative method: on each
+XMLHttpRequest, set a custom `X-CSRFToken` header to the value of the CSRF
+token. This is often easier, because many javascript frameworks provide hooks
+that allow headers to be set on every request. In jQuery, you can use the
+``beforeSend`` hook as follows:
+
+.. code-block:: javascript
+
+ $.ajaxSetup({
+ beforeSend: function(xhr, settings) {
+ function getCookie(name) {
+ var cookieValue = null;
+ if (document.cookie && document.cookie != '') {
+ var cookies = document.cookie.split(';');
+ for (var i = 0; i < cookies.length; i++) {
+ var cookie = jQuery.trim(cookies[i]);
+ // Does this cookie string begin with the name we want?
+ if (cookie.substring(0, name.length + 1) == (name + '=')) {
+ cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+ break;
+ }
+ }
+ }
+ return cookieValue;
+ }
+ if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
+ // Only send the token to relative URLs i.e. locally.
+ xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+ }
+ }
+ });
+
+Adding this to a javascript file that is included on your site will ensure that
+AJAX POST requests that are made via jQuery will not be caught by the CSRF
+protection.
+
The decorator method
--------------------
@@ -262,10 +303,6 @@ in the same module. These disable the view protection
(``CsrfResponseMiddleware``) respectively. They can be used individually if
required.
-You don't have to worry about doing this for most AJAX views. Any request sent
-with "X-Requested-With: XMLHttpRequest" is automatically exempt. (See the `How
-it works`_ section.)
-
Subdomains
----------
@@ -342,24 +379,6 @@ request ought to be harmless.
``CsrfResponseMiddleware`` checks the Content-Type before modifying the
response, and only pages that are served as 'text/html' or
'application/xml+xhtml' are modified.
-
-AJAX
-----
-
-The middleware tries to be smart about requests that come in via AJAX. Most
-modern JavaScript toolkits send an "X-Requested-With: XMLHttpRequest" HTTP
-header; these requests are detected and automatically *not* handled by this
-middleware. We can do this safely because, in the context of a browser, the
-header can only be added by using ``XMLHttpRequest``, and browsers already
-implement a same-domain policy for ``XMLHttpRequest``.
-
-For the more recent browsers that relax this same-domain policy, custom headers
-like "X-Requested-With" are only allowed after the browser has done a
-'preflight' check to the server to see if the cross-domain request is allowed,
-using a strictly 'opt in' mechanism, so the exception for AJAX is still safe—if
-the developer has specifically opted in to allowing cross-site AJAX POST
-requests on a specific URL, they obviously don't want the middleware to disallow
-exactly that.
.. _9.1.1 Safe Methods, HTTP 1.1, RFC 2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

31
www/py-django/patches/patch-tests_regressiontests_admin_widgets_tests_py
View File

@ -1,31 +0,0 @@
$OpenBSD: patch-tests_regressiontests_admin_widgets_tests_py,v 1.1 2011/02/11 11:45:48 jasper Exp $
Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Patch from upstream svn -r15471.
--- tests/regressiontests/admin_widgets/tests.py.orig Fri Dec 3 23:49:31 2010
+++ tests/regressiontests/admin_widgets/tests.py Thu Feb 10 09:50:08 2011
@@ -237,7 +237,21 @@ class AdminFileWidgetTest(DjangoTestCase):
'<input type="file" name="test" />',
)
+ def test_render_escapes_html(self):
+ class StrangeFieldFile(object):
+ url = "something?chapter=1&sect=2&copy=3&lang=en"
+ def __unicode__(self):
+ return u'''something<div onclick="alert('oops')">.jpg'''
+
+ widget = AdminFileWidget()
+ field = StrangeFieldFile()
+ output = widget.render('myfile', field)
+ self.assertFalse(field.url in output)
+ self.assertTrue(u'href="something?chapter=1&amp;sect=2&amp;copy=3&amp;lang=en"' in output)
+ self.assertFalse(unicode(field) in output)
+ self.assertTrue(u'something&lt;div onclick=&quot;alert(&#39;oops&#39;)&quot;&gt;.jpg' in output)
+
class ForeignKeyRawIdWidgetTest(DjangoTestCase):
def test_render(self):
band = models.Band.objects.create(name='Linkin Park')

25
www/py-django/patches/patch-tests_regressiontests_csrf_tests_tests_py
View File

@ -1,25 +0,0 @@
$OpenBSD: patch-tests_regressiontests_csrf_tests_tests_py,v 1.1 2011/02/11 11:45:48 jasper Exp $
Security fix for SA43230.
http://www.djangoproject.com/weblog/2011/feb/08/security/
Patch from upstream svn -r15465.
--- tests/regressiontests/csrf_tests/tests.py.orig Thu Oct 28 04:58:51 2010
+++ tests/regressiontests/csrf_tests/tests.py Thu Feb 10 09:48:59 2011
@@ -275,12 +275,12 @@ class CsrfMiddlewareTest(TestCase):
req2 = CsrfMiddleware().process_view(req, csrf_exempt(post_form_view), (), {})
self.assertEquals(None, req2)
- def test_ajax_exemption(self):
+ def test_csrf_token_in_header(self):
"""
- Check that AJAX requests are automatically exempted.
+ Check that we can pass in the token in a header instead of in the form
"""
req = self._get_POST_csrf_cookie_request()
- req.META['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
+ req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
req2 = CsrfMiddleware().process_view(req, post_form_view, (), {})
self.assertEquals(None, req2)

4
www/py-django/pkg/PLIST
View File

@ -1,4 +1,4 @@
@comment $OpenBSD: PLIST,v 1.9 2011/01/02 22:04:10 rpointel Exp $
@comment $OpenBSD: PLIST,v 1.10 2011/03/10 09:29:11 jasper Exp $
bin/${LNAME}-admin.py
lib/python${MODPY_VERSION}/site-packages/Django-${MODPY_EGG_VERSION}-py${MODPY_VERSION}.egg-info
lib/python${MODPY_VERSION}/site-packages/${LNAME}/
@ -2702,6 +2702,7 @@ share/doc/${LNAME}/releases/1.2-alpha-1.txt
share/doc/${LNAME}/releases/1.2-beta-1.txt
share/doc/${LNAME}/releases/1.2-rc-1.txt
share/doc/${LNAME}/releases/1.2.2.txt
share/doc/${LNAME}/releases/1.2.4.txt
share/doc/${LNAME}/releases/${MODPY_EGG_VERSION}.txt
share/doc/${LNAME}/releases/1.2.txt
share/doc/${LNAME}/releases/index.txt
@ -2730,6 +2731,7 @@ share/doc/${LNAME}/topics/generic-views.txt
share/doc/${LNAME}/topics/http/
share/doc/${LNAME}/topics/http/_images/
share/doc/${LNAME}/topics/http/_images/middleware.png
share/doc/${LNAME}/topics/http/decorators.txt
share/doc/${LNAME}/topics/http/file-uploads.txt
share/doc/${LNAME}/topics/http/generic-views.txt
share/doc/${LNAME}/topics/http/index.txt