Commit 7f8dd9cb authored by Alex Gaynor's avatar Alex Gaynor
Browse files

[1.1.X] Fix a security issue in the auth system. Disclosure and new release forthcoming. 

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.1.X@15036 bcc190cf-cafb-0310-a4f2-bffc1f526a37
parent 17084839

django/contrib/auth/tests/tokens.py

+5 −0
Original line number Diff line number Diff line
@@ -34,4 +34,9 @@ True 
>>> p2.check_token(u, tk1)

False



This will put a 14-digit base36 timestamp into the token, which is too large.

>>> tk1 = p0._make_token_with_timestamp(u, 175455491841851871349)

>>> p0.check_token(u, tk1)

False



"""

django/contrib/auth/urls.py

+2 −2
Original line number Diff line number Diff line
@@ -11,7 +11,7 @@ urlpatterns = patterns('', 
    (r'^password_change/done/$', 'django.contrib.auth.views.password_change_done'),

    (r'^password_reset/$', 'django.contrib.auth.views.password_reset'),

    (r'^password_reset/done/$', 'django.contrib.auth.views.password_reset_done'),

    (r'^reset/(?P<uidb36>[0-9A-Za-z]+)-(?P<token>.+)/$', 'django.contrib.auth.views.password_reset_confirm'),

    (r'^reset/(?P<uidb36>[0-9A-Za-z]{1,13})-(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$', 'django.contrib.auth.views.password_reset_confirm'),

    (r'^reset/done/$', 'django.contrib.auth.views.password_reset_complete'),

)

django/utils/http.py

+6 −1
Original line number Diff line number Diff line
@@ -73,8 +73,13 @@ def http_date(epoch_seconds=None): 


def base36_to_int(s):

    """

    Convertd a base 36 string to an integer

    Converts a base 36 string to an ``int``. To prevent

    overconsumption of server resources, raises ``ValueError` if the

    input is longer than 13 base36 digits (13 digits is sufficient to

    base36-encode any 64-bit integer).

    """

    if len(s) > 13:

        raise ValueError("Base36 input too large")

    return int(s, 36)



def int_to_base36(i):