tags 481164 patch thanks Hi
Attached you will find the patch from upstream. Please let me know, if you have time for it or want me to upload. Don't worry, I will wait a few days. Cheers Steffen
diff -u python-django-0.96.1/debian/changelog python-django-0.96.1/debian/changelog --- python-django-0.96.1/debian/changelog +++ python-django-0.96.1/debian/changelog @@ -1,3 +1,11 @@ +python-django (0.96.1-3.1) unstable; urgency=high + + * Non-maintainer upload by the security team + * Fix cross-site scripting vulnerability by escaping the value + of the request path (Closes: #481164) + + -- Steffen Joeris <[EMAIL PROTECTED]> Wed, 14 May 2008 13:01:46 +0000 + python-django (0.96.1-3) unstable; urgency=low * Fix for bash completion (Upstream bug 6661) only in patch2: unchanged: --- python-django-0.96.1.orig/debian/patches/04_XSS_fix.diff +++ python-django-0.96.1/debian/patches/04_XSS_fix.diff @@ -0,0 +1,19 @@ +--- ../old/python-django-0.96.1/django/contrib/admin/views/decorators.py 2007-10-26 19:21:34.000000000 +0000 ++++ python-django-0.96.1/django/contrib/admin/views/decorators.py 2008-05-14 12:59:55.000000000 +0000 +@@ -3,6 +3,7 @@ + from django.contrib.auth.models import User + from django.contrib.auth import authenticate, login + from django.shortcuts import render_to_response ++from django.utils.html import escape + from django.utils.translation import gettext_lazy + import base64, datetime, md5 + import cPickle as pickle +@@ -22,7 +23,7 @@ + post_data = _encode_post_data({}) + return render_to_response('admin/login.html', { + 'title': _('Log in'), +- 'app_path': request.path, ++ 'app_path': escape(request.path), + 'post_data': post_data, + 'error_message': error_message + }, context_instance=template.RequestContext(request))
signature.asc
Description: This is a digitally signed message part.