Re: [Django] #24625: Arbitrary file inclusion in admindocs

[Django]

#24625: Arbitrary file inclusion in admindocs
-+-
 Reporter:  MarkusH  |Owner:  MarkusH
 Type:  Bug  |   Status:  closed
Component:  contrib.admindocs|  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Markus Holtermann ):

 In [changeset:"584c6591a3c29c94026e3bebc3e5302a3d7530e3" 584c6591]:
 {{{
 #!CommitTicketReference repository=""
 revision="584c6591a3c29c94026e3bebc3e5302a3d7530e3"
 [1.8.x] Refs #24625 -- Filtered docutils warnings output in tests

 Instead of setting ``warning_stream`` in the docutils config overrides
 to ``False`` I opted for filtering the stderr in the tests to keep the
 error output showing up in server logs.

 Thanks Tim Graham for the report and review

 Backport of 3caf7efb44712f89d6552076c240a3c898673a2c from master
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.387e4ff7baad8c044215e8b6831fa84a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24625: Arbitrary file inclusion in admindocs

[Django]

#24625: Arbitrary file inclusion in admindocs
-+-
 Reporter:  MarkusH  |Owner:  MarkusH
 Type:  Bug  |   Status:  closed
Component:  contrib.admindocs|  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Markus Holtermann ):

 In [changeset:"3caf7efb44712f89d6552076c240a3c898673a2c" 3caf7efb]:
 {{{
 #!CommitTicketReference repository=""
 revision="3caf7efb44712f89d6552076c240a3c898673a2c"
 Refs #24625 -- Filtered docutils warnings output in tests

 Instead of setting ``warning_stream`` in the docutils config overrides
 to ``False`` I opted for filtering the stderr in the tests to keep the
 error output showing up in server logs.

 Thanks Tim Graham for the report and review
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.b1890a896f529c37278591b7af8f65a4%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24625: Arbitrary file inclusion in admindocs

[Django]

#24625: Arbitrary file inclusion in admindocs
-+-
 Reporter:  MarkusH  |Owner:  MarkusH
 Type:  Bug  |   Status:  closed
Component:  contrib.admindocs|  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by Markus Holtermann ):

 In [changeset:"3862826fedc99378279b85e602079b53593ae129" 3862826]:
 {{{
 #!CommitTicketReference repository=""
 revision="3862826fedc99378279b85e602079b53593ae129"
 [1.8.x] Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

 Thanks Tim Graham for the review.

 Backport of 09595b4fc67ac4c94ed4e0d4c69acc1e4a748c81 from master
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.4fd72e27ed7f6b0c857dec8627881b92%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24625: Arbitrary file inclusion in admindocs

[Django]

#24625: Arbitrary file inclusion in admindocs
-+-
 Reporter:  MarkusH  |Owner:  MarkusH
 Type:  Bug  |   Status:  closed
Component:  contrib.admindocs|  Version:  master
 Severity:  Normal   |   Resolution:  fixed
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by Markus Holtermann ):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 In [changeset:"09595b4fc67ac4c94ed4e0d4c69acc1e4a748c81" 09595b4]:
 {{{
 #!CommitTicketReference repository=""
 revision="09595b4fc67ac4c94ed4e0d4c69acc1e4a748c81"
 Fixed #24625 -- Prevented arbitrary file inclusion in admindocs

 Thanks Tim Graham for the review.
 }}}

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.8f216a141faf93b4bdc18776f713c12b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24625: Arbitrary file inclusion in admindocs

[Django]

#24625: Arbitrary file inclusion in admindocs
-+-
 Reporter:  MarkusH  |Owner:  MarkusH
 Type:  Bug  |   Status:  new
Component:  contrib.admindocs|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by MarkusH):

 I think it mostly depends on the size and impact of the patch. The one for
 this issue is rather trivial and users who run into a regression with it
 will have other problems than outlined in this issue. Since it's not a
 security issue per se I'm fine with not backporting it to anything. It
 just feels dump to keep that issue in a release that we'll support for 3+
 years which is why I'm +1 on backporting it to 1.8. Those users who are on
 1.7 are likely going to update to 1.8 sooner or later and are fine then.

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.bc9662fa1b0d032f810018579d7e88d0%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24625: Arbitrary file inclusion in admindocs

[Django]

#24625: Arbitrary file inclusion in admindocs
-+-
 Reporter:  MarkusH  |Owner:  MarkusH
 Type:  Bug  |   Status:  new
Component:  contrib.admindocs|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-

Comment (by claudep):

 I think that when a core dev is volunteering to backport a patch, he
 should be allowed to do so (unless it obviously adds some regression
 risks).

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.31578746c49d403e9f58ba7326aad7d8%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Django] #24625: Arbitrary file inclusion in admindocs

[Django]

#24625: Arbitrary file inclusion in admindocs
-+-
 Reporter:  MarkusH  |Owner:  MarkusH
 Type:  Bug  |   Status:  new
Component:  contrib.admindocs|  Version:  master
 Severity:  Normal   |   Resolution:
 Keywords:   | Triage Stage:  Ready for
 |  checkin
Has patch:  1|  Needs documentation:  0
  Needs tests:  0|  Patch needs improvement:  0
Easy pickings:  0|UI/UX:  0
-+-
Changes (by timgraham):

 * stage:  Accepted => Ready for checkin


Comment:

 I don't really see the issue as needing a backport based on our current
 policy, but I don't mind other than the perception that the core team
 plays by different rules. Do you want to lobby for adding "security
 hardening measures" to the list of fixes that will be backported?

--
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/065.583cf0939df149e0a9fef01defcdb967%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.