MySQL typecasting

Bug #1309784 reported by Luke Faraone
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Saucy
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned

Bug Description

The MySQL database is known to "typecast" on certain queries; for
example, when querying a table which contains string values, but using
a query which filters based on an integer value, MySQL will first
silently coerce the strings to integers, and return a result based on
that.

Django's model field classes are aware of their own types, and most
such classes perform explicit conversion of query arguments to the
correct database-level type before querying. However, three model
field classes did not correctly convert their arguments:

* ``FilePathField``

* ``GenericIPAddressField``

* ``IPAddressField``

These three fields have been updated to convert their arguments to the
correct types before querying.

Additionally, developers of custom model fields are now warned via
documentation to ensure their custom field classes will perform
appropriate type conversions, and users of the ``raw()`` and
``extra()`` query methods -- which allow the developer to supply raw
SQL or SQL fragments -- will be advised to ensure they perform
appropriate manual type conversions prior to executing queries.

information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.10

---------------
python-django (1.1.1-2ubuntu1.10) lucid-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, backport has_vary_header() to
      django/utils/cache.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 11:21:00 -0400

Changed in python-django (Ubuntu Lucid):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.6.1-2ubuntu0.1

---------------
python-django (1.6.1-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/urlpatterns_reverse/nonimported_module.py,
      tests/urlpatterns_reverse/tests.py,
      tests/urlpatterns_reverse/urls.py,
      tests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 08:50:48 -0400

Changed in python-django (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.9

---------------
python-django (1.3.1-4ubuntu1.9) precise-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:27:04 -0400

Changed in python-django (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.5

---------------
python-django (1.4.1-2ubuntu0.5) quantal-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/regressiontests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
  * debian/patches/fix_test_ftbfs.patch: fix ftbfs with upstream commit.
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:12:33 -0400

Changed in python-django (Ubuntu Quantal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.5.4-1ubuntu1.1

---------------
python-django (1.5.4-1ubuntu1.1) saucy-security; urgency=medium

  * SECURITY UPDATE: unexpected code execution using reverse()
    (LP: #1309779)
    - debian/patches/CVE-2014-0472.patch: added filtering to
      django/core/urlresolvers.py, added tests to
      tests/regressiontests/urlpatterns_reverse/nonimported_module.py,
      tests/regressiontests/urlpatterns_reverse/tests.py,
      tests/regressiontests/urlpatterns_reverse/urls.py,
      tests/regressiontests/urlpatterns_reverse/views.py.
    - CVE-2014-0472
  * SECURITY UPDATE: caching of anonymous pages could reveal CSRF token
    (LP: #1309782)
    - debian/patches/CVE-2014-0473.patch: don't cache responses with a
      cookie in django/middleware/cache.py, added tests to
      tests/regressiontests/cache/tests.py.
    - CVE-2014-0473
  * SECURITY UPDATE: MySQL typecasting issue (LP: #1309784)
    - debian/patches/CVE-2014-0474.patch: convert arguments to correct
      type in django/db/models/fields/__init__.py, updated docs in
      docs/howto/custom-model-fields.txt, docs/ref/databases.txt,
      docs/ref/models/querysets.txt, docs/topics/db/sql.txt, added tests to
      tests/regressiontests/model_fields/tests.py.
    - CVE-2014-0474
 -- Marc Deslauriers <email address hidden> Sat, 19 Apr 2014 09:06:51 -0400

Changed in python-django (Ubuntu Saucy):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.