Re: Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[אורי]

Django developers,

We use Django 2.1 and anyway I saw that Django expects each user to have
one email address, where on Speedy Net each user can have multiple email
addresses. So I had to override *def save* in *class PasswordResetForm* on
Speedy Net:

https://github.com/speedy-net/speedy-net/blob/master/speedy/core/accounts/forms.py#L228-L279

I also added logging info to let us know who used the password reset form
and who received the password reset link.

I also checked and I noticed that if I reset the password of u...@speedy.net,
the email is sent to u...@speedy.net instead of u...@speedy.net - the email
is sent to the email the user submitted instead of the email the user has
on the database. This is a mistake. So I also updated the email to be sent
to the email the user has on the database - but the one matching the user
input and not just the primary email. So if a user has 2 email addresses,
and one stopped working, he can reset his password to the second email
address too, even if it's not his primary email address.

I decided to keep using Django 2.1 since there is still not a solution to
our Hebrew translation problem which I wrote you about in November.

Here is the code we use now (after I updated it today):

class PasswordResetForm(auth_forms.PasswordResetForm):
@property
def helper(self):
helper = FormHelperWithDefaults()
helper.add_input(Submit('submit', _('Submit')))
return helper

def get_users(self, email):
"""
Given an email, return matching user(s) who should receive a reset.
"""
email_addresses =
UserEmailAddress.objects.select_related('user').filter(email__iexact=email.lower())
return {e.user for e in email_addresses if ((e.email ==
email.lower()) and (e.user.has_usable_password()))}

def send_mail(self, subject_template_name, email_template_name,
context, from_email, to_email, html_email_template_name=None):
"""
Send a django.core.mail.EmailMultiAlternatives to `to_email`.
"""
send_mail(to=[to_email],
template_name_prefix='email/accounts/password_reset', context=context)

def save(self, domain_override=None,
subject_template_name='registration/password_reset_subject.txt',
email_template_name='registration/password_reset_email.html',
use_https=False, token_generator=default_token_generator,
from_email=None, request=None, html_email_template_name=None,
extra_email_context=None):
"""
Generate a one-use only link for resetting password and send
it to the user.
"""
email = self.cleaned_data["email"]
site = Site.objects.get_current()
users_list = self.get_users(email)
logger.info("PasswordResetForm::User submitted form,
site_name={site_name}, email={email},
matching_users={matching_users}".format(site_name=_(site.name),
email=email, matching_users=len(users_list)))
for user in users_list:
if not domain_override:
current_site = get_current_site(request)
site_name = current_site.name
domain = current_site.domain
else:
site_name = domain = domain_override
user_email_list = [e.email for e in
user.email_addresses.all() if (e.email == email.lower())]
if (len(user_email_list) == 1):
user_email = user_email_list[0]
logger.info("PasswordResetForm::Sending reset link to
the user, site_name={site_name}, user={user},
user_email={user_email}".format(site_name=_(site_name), user=user,
user_email=user_email))
context = {
'email': user_email,
'domain': domain,
'site_name': site_name,
'uid': urlsafe_base64_encode(force_bytes(user.pk)).decode(),
'user': user,
'token': token_generator.make_token(user),
'protocol': 'https' if use_https else 'http',
**(extra_email_context or {}),
}
self.send_mail(subject_template_name,
email_template_name, context, from_email, user_email,
html_email_template_name=html_email_template_name)
else:
logger.error("PasswordResetForm::User doesn't have a
matching email address, site_name={site_name}, user={user},
email={email}".format(site_name=_(site_name), user=user, email=email))


אורי
u...@speedy.net


On Wed, Dec 18, 2019 at 11:23 AM Mariusz Felisiak <
felisiak.mari...@gmail.com> wrote:

> Details are available on the Django project weblog:
>
> https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web vi

Re: Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Hanne Moa]

This depends on the collation that is used
. On a
system sorting everything as if it was Turkish, "ı" and "i" would be
considered two different letters, but I guess everywhere else they
would be merged into "i".

On Wed, 18 Dec 2019 at 14:09, Dirk Groten  wrote:
>
> I've been looking in more detail into this issue, as some other Django 
> packages are affected also by this issue. Now, when I run the tests that are 
> provided with this fix using SQLite, the issue does not occur, whereas it 
> does happen for PostgreSQL (I haven't tested for MySQL). Is it correct that 
> in Postgres, `User.objects.filter(email__iexact='mık...@example.org')` will 
> match a user with email "m...@example.org" but SQLite won't find a match? And 
> if so, why is that? Is it dependent on specific Postgres settings?
>
> On Wednesday, December 18, 2019 at 10:23:35 AM UTC+1, Mariusz Felisiak wrote:
>>
>> Details are available on the Django project weblog:
>>
>> https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
>>
> --
> You received this message because you are subscribed to the Google Groups 
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/7ebbc544-c113-478b-9417-7f714fef783e%40googlegroups.com.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CACQ%3Drrco062GzUG_tavb1mVjtMJuh%3Dvth6%2Bi_UK6sAvmPPGZWg%40mail.gmail.com.

Re: Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Mariusz Felisiak]

 

SQLite's only does an exact match, so it's not affected by Unicode Case 
Mapping Collisions.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/8b73a544-2b8a-4663-95c2-b7f8898dbb91%40googlegroups.com.

Re: Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Carlton Gibson]

HI Dirk. 

You're correct, the issue doesn't appear to arise on SQLite. Pass on 
exactly why right now. Maybe there's some PostgreSQL setting that might 
avoid it but, in general, it's not dependent on specific PostgreSQL 
settings. 

Kind Regards,

Carlton


On Wednesday, 18 December 2019 14:09:52 UTC+1, Dirk Groten wrote:
>
> I've been looking in more detail into this issue, as some other Django 
> packages are affected also by this issue. Now, when I run the tests that 
> are provided with this fix using SQLite, the issue does not occur, whereas 
> it does happen for PostgreSQL (I haven't tested for MySQL). Is it correct 
> that in Postgres, `User.objects.filter(email__iexact='mık...@example.org 
> ')` will match a user with email "mi...@example.org 
> " but SQLite won't find a match? And if so, why is that? Is 
> it dependent on specific Postgres settings?
>
> On Wednesday, December 18, 2019 at 10:23:35 AM UTC+1, Mariusz Felisiak 
> wrote:
>>
>> Details are available on the Django project weblog: 
>>
>> https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/aa488796-5cb3-4b46-93fc-d7cb2513ad40%40googlegroups.com.

Re: Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Dirk Groten]

I've been looking in more detail into this issue, as some other Django 
packages are affected also by this issue. Now, when I run the tests that 
are provided with this fix using SQLite, the issue does not occur, whereas 
it does happen for PostgreSQL (I haven't tested for MySQL). Is it correct 
that in Postgres, `User.objects.filter(email__iexact='mık...@example.org')` 
will match a user with email "m...@example.org" but SQLite won't find a 
match? And if so, why is that? Is it dependent on specific Postgres 
settings?

On Wednesday, December 18, 2019 at 10:23:35 AM UTC+1, Mariusz Felisiak 
wrote:
>
> Details are available on the Django project weblog: 
>
> https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/7ebbc544-c113-478b-9417-7f714fef783e%40googlegroups.com.

Re: Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Markus Holtermann]

Thanks for checking and asking!

On Python 2, the email address with "i without dot" isn't a valid email address 
according to the EmailValidator and thus shouldn't be in your database in the 
first place.

Cheers,

/Markus 

On Wed, Dec 18, 2019, at 11:23 AM, Sam Willis wrote:
> Hi,
> 
> It looks to me like this has introduced a slight behaviour difference 
> with 1.11 on python 2.7 than on 3.x:
> 
> https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2#diff-e840e362abe9e625eee52d91897400bdR36
> 
> The release notes don't indicate what the difference in behaviour is 
> between python 2 and 3.
> 
> I'm trying to follow the change and test cases but it looks like if you 
> have two users 'm...@example.org' and 'mık...@example.org' (which is 
> highly unlikely anyway to happen legitimately) neither can reset their 
> password anymore on py2?
> 
> See: 
> https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2#diff-d4ef44f66fdc7127c6178eee0fdcaf57R697
>  
> 
> I'm guessing this was found after the similar GitHub vulnerability was found?
> 
> Thanks for the hard work!
> 
> On Wednesday, December 18, 2019 at 9:23:35 AM UTC, Mariusz Felisiak 
> wrote:Details are available on the Django project weblog: 
> > 
> > https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ 
> > 
> 
>  -- 
>  You received this message because you are subscribed to the Google 
> Groups "Django developers (Contributions to Django itself)" group.
>  To unsubscribe from this group and stop receiving emails from it, send 
> an email to django-developers+unsubscr...@googlegroups.com.
>  To view this discussion on the web visit 
> https://groups.google.com/d/msgid/django-developers/5cde448c-7631-472f-857f-168bd872fe3e%40googlegroups.com
>  
> .

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/d7e03a11-10c3-4f7b-9932-2a9e0497e318%40www.fastmail.com.

Re: Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Sam Willis]

Hi,

It looks to me like this has introduced a slight behaviour difference with 
1.11 on python 2.7 than on 3.x:

https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2#diff-e840e362abe9e625eee52d91897400bdR36

The release notes don't indicate what the difference in behaviour is 
between python 2 and 3.

I'm trying to follow the change and test cases but it looks like if you 
have two users 'm...@example.org' and 'mık...@example.org' (which is highly 
unlikely anyway to happen legitimately) neither can reset their password 
anymore on py2?

See: 
 
https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2#diff-d4ef44f66fdc7127c6178eee0fdcaf57R697
 

I'm guessing this was found after the similar GitHub vulnerability was 
found?

Thanks for the hard work!

On Wednesday, December 18, 2019 at 9:23:35 AM UTC, Mariusz Felisiak wrote:
>
> Details are available on the Django project weblog: 
>
> https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ 
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/5cde448c-7631-472f-857f-168bd872fe3e%40googlegroups.com.

Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Mariusz Felisiak]

Details are available on the Django project weblog:

https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/87b42e7f-f80e-bd2b-6217-485b2fe41d37%40gmail.com.