tags 481164 patch thanks Hi
Attached you will find the patch from upstream. Please let me know, if you have time for it or want me to upload. Don't worry, I will wait a few days. Cheers Steffen
diff -u python-django-0.96.1/debian/changelog python-django-0.96.1/debian/changelog
--- python-django-0.96.1/debian/changelog
+++ python-django-0.96.1/debian/changelog
@@ -1,3 +1,11 @@
+python-django (0.96.1-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the security team
+ * Fix cross-site scripting vulnerability by escaping the value
+ of the request path (Closes: #481164)
+
+ -- Steffen Joeris <[EMAIL PROTECTED]> Wed, 14 May 2008 13:01:46 +0000
+
python-django (0.96.1-3) unstable; urgency=low
* Fix for bash completion (Upstream bug 6661)
only in patch2:
unchanged:
--- python-django-0.96.1.orig/debian/patches/04_XSS_fix.diff
+++ python-django-0.96.1/debian/patches/04_XSS_fix.diff
@@ -0,0 +1,19 @@
+--- ../old/python-django-0.96.1/django/contrib/admin/views/decorators.py 2007-10-26 19:21:34.000000000 +0000
++++ python-django-0.96.1/django/contrib/admin/views/decorators.py 2008-05-14 12:59:55.000000000 +0000
+@@ -3,6 +3,7 @@
+ from django.contrib.auth.models import User
+ from django.contrib.auth import authenticate, login
+ from django.shortcuts import render_to_response
++from django.utils.html import escape
+ from django.utils.translation import gettext_lazy
+ import base64, datetime, md5
+ import cPickle as pickle
+@@ -22,7 +23,7 @@
+ post_data = _encode_post_data({})
+ return render_to_response('admin/login.html', {
+ 'title': _('Log in'),
+- 'app_path': request.path,
++ 'app_path': escape(request.path),
+ 'post_data': post_data,
+ 'error_message': error_message
+ }, context_instance=template.RequestContext(request))
signature.asc
Description: This is a digitally signed message part.
