Hi Stephen,
Thank you for all your contributions, really nice observation.
On Thursday, June 14, 2018 at 9:50:31 PM UTC-5, Stephen McDonald wrote:
>
> Hi all,
>
> I've just pushed Mezzanine 4.3 and Cartridge 0.13 to PyPI which both
> support Django 1.11. Both these releases represent over a year of minor
> bug-fixes and compatibility updates with newer versions of Django. For more
> detail please see their respective change-logs.
>
> For all those still following Mezzanine's development, you'll know that
> we've forgone releases for quite some time and pushed people towards
> depending on the GitHub repositories. A vulnerability was recently found in
> Cartridge however, which has forced new releases to be made, which I'll
> detail below. The new release of Cartridge contains a fix for the issue,
> but you can also patch the issue via your project's files if upgrading is
> inconvenient.
>
> The vulnerability in Cartridge is where the invoice page displayed at the
> end of a completed checkout process gets cached, when Mezzanine's caching
> is enabled and the customer is unauthenticated. This means that another
> unauthenticated user who guesses the order ID of a previous unauthenticated
> customer, could view their order details such as name, address, and items
> purchased, for a brief period (60 seconds by default) after the checkout
> process was completed by the customer.
>
> While the extent of this is limited due to the order details only being
> exposed for the time period that caching is configured for, it's still very
> serious and anyone running a vulnerable setup where caching is enabled and
> login is not required for checkout, should either upgrade to 0.13, or as
> I'll describe next, patch this immediately. The issue can be patched
> without any modification to Mezzanine or Cartridge by adding the following
> code to the *end* of your project's urls.py module:
>
> from django.views.decorators.cache import never_cache
> from cartridge.shop.views import invoice
> from mezzanine.conf import settings
>
> urlpatterns = [url("^shop/invoice/(?P<order_id>\d+)%s$" % "/" if
> settings.APPEND_SLASH else "", never_cache(invoice), name="shop_invoice")]
> + urlpatterns
>
> That simply adds the urlpattern for the invoice view to the *start* of the
> urlpatterns, wrapping the invoice view in the no_cache decorator (which is
> what the fix will be inside Cartridge itself). If you've modified your
> urls.py module in some odd way, say for example where the urlpatterns
> variable isn't a list, you'll need to change the above accordingly. The
> important part is that the pattern for the decorated invoice view appears
> *before* the existing urlpatterns for Cartridge (eg everything under
> /shop/). If you have trouble with that, you could also prevent this issue
> by disabling the cache (removing the CACHES setting), or if appropriate,
> requiring authentication for purchases (by setting the
> SHOP_CHECKOUT_ACCOUNT_REQUIRED to True).
>
> Thanks to John Bywater for reporting the issue privately over a week ago,
> at which time I made the details available to the mezzanine-security
> mailing list, giving everyone the chance to patch their site before we
> made the issue known publicly today with these new releases.
>
> And thanks also to all those who have contributed to these latest releases
> over the last year or so.
>
>
> --
> Stephen McDonald
> http://jupo.org
>
--
You received this message because you are subscribed to the Google Groups
"Mezzanine Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
