6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
This update address an issue with reverse() generating external URLs; a
denial of service involving file uploads; a potential session hijacking
issue in the remote-user middleware; and a data leak in the administrative
interface.
This update has been brought to you thanks to the Debian LTS sponsors:
<http://www.freexian.com/services/debian-lts.html>
To remedy this, URL reversing now ensures that no URL starts with two
slashes (//), replacing the second slash with its URL encoded counterpart
(%2F). This approach ensures that semantics stay the same, while making
the URL relative to the domain and not to the scheme.
An attacker with knowledge of this can exploit the sequential behavior of
filename generation by uploading many tiny files which all share a
filename; Django will, in processing them, generate ever-increasing
numbers of os.stat() calls as it attempts to generate a unique filename.
As a result, even a relatively small number of such uploads can
significantly degrade performance.
To remedy this, Django’s file-upload system will no longer use sequential
integer names to avoid filename conflicts on disk; instead, a short random
alphanumeric string will be appended, removing the ability to reliably
generate many repeatedly-conflicting filenames.
In some circumstances, use of this middleware and backend could result in
one user receiving another user’s session, if a change to the REMOTE_USER
header occurred without corresponding logout/login actions.
To remedy this, the middleware will now ensure that a change to
REMOTE_USER without an explicit logout will force a logout and subsequent
login prior to accepting the new REMOTE_USER.
This mechanism did not, however, verify that the specified field actually
represents a relationship between models. Thus a user with access to the
admin interface, and with sufficient knowledge of model structure and the
appropriate URLs, could construct popup views which would display the
values of non-relationship fields, including fields the application
developer had not intended to expose in such a fashion.
To remedy this, the admin interface will now, in addition to its normal
permission checks, verify that the specified field does indeed represent a
relationship, to a model registered with the admin, and will raise an
exception if either condition is not true.
For Debian 6 Squeeze, these issues have been fixed in python-django version 1.2.3-3+squeeze11