Regression in security upload - self-tests fail if MANAGERS is defined in settings.py

Bug #1080204 reported by James Troup
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-django (Debian)
Fix Released
Unknown
python-django (Ubuntu)
Fix Released
Undecided
Jamie Strandboge
Lucid
Fix Released
Undecided
Jamie Strandboge
Oneiric
Fix Released
Undecided
Jamie Strandboge
Precise
Fix Released
Undecided
Jamie Strandboge
Quantal
Fix Released
Undecided
Jamie Strandboge
Raring
Fix Released
Undecided
Jamie Strandboge

Bug Description

With the recent security upload of django, the self-tests will fail on
any site, if the MANAGERS variable is defined in settings.py. This is
because the admin gets mail about the SuspiciousOperation traceback
and the new test test_poisoned_http_host() only looks to see whether
there's any mail at all, not who the mail is to or what it is.

james@ornery:~/scratch/test/mysite$ python manage.py test
Creating test database for alias 'default'...
..................................................................................> /usr/lib/python2.7/dist-packages/django/contrib/auth/tests/views.py(137)test_poisoned_http_host()
-> self.assertEqual(len(mail.outbox), 0)
(Pdb) print mail.outbox
[<django.core.mail.message.EmailMultiAlternatives object at 0x263c490>]
(Pdb) print mail.outbox[0].to
['<email address hidden>']
(Pdb) print mail.outbox[0].subject
[Django] ERROR (EXTERNAL IP): Internal Server Error: /password_reset/
(Pdb) print mail.outbox[0].body
Traceback (most recent call last):

  File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 89, in get_response
    response = middleware_method(request)

  File "/usr/lib/python2.7/dist-packages/django/middleware/common.py", line 55, in process_request
    host = request.get_host()

  File "/usr/lib/python2.7/dist-packages/django/http/__init__.py", line 218, in get_host
    raise SuspiciousOperation('Invalid HTTP_HOST header: %s' % host)

SuspiciousOperation: Invalid HTTP_HOST header: www.example:<email address hidden>

<WSGIRequest
path:/password_reset/,
GET:<QueryDict: {}>,
POST:<QueryDict: {u'email': [<email address hidden>']}>,
COOKIES:{},
META:{'CONTENT_LENGTH': 111,
 'CONTENT_TYPE': 'multipart/form-data; boundary=BoUnDaRyStRiNg',
 'HTTP_COOKIE': '',
 'HTTP_HOST': 'www.example:<email address hidden>',
 'PATH_INFO': u'/password_reset/',
 'QUERY_STRING': '',
 'REMOTE_ADDR': '127.0.0.1',
 'REQUEST_METHOD': 'POST',
 'SCRIPT_NAME': u'',
 'SERVER_NAME': 'testserver',
 'SERVER_PORT': '80',
 'SERVER_PROTOCOL': 'HTTP/1.1',
 'wsgi.errors': <cStringIO.StringO object at 0x2626fb8>,
 'wsgi.input': <django.test.client.FakePayload object at 0x2614790>,
 'wsgi.multiprocess': True,
 'wsgi.multithread': False,
 'wsgi.run_once': False,
 'wsgi.url_scheme': 'http',
 'wsgi.version': (1, 0)}>
(Pdb)

Changed in python-django (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Confirmed
Changed in python-django (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in python-django (Ubuntu Lucid):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Oneiric):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Precise):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Quantal):
status: New → In Progress
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in python-django (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Raring):
status: In Progress → Fix Committed
Changed in python-django (Ubuntu Lucid):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.4.2-1ubuntu1

---------------
python-django (1.4.2-1ubuntu1) raring-proposed; urgency=low

  * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
    - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from
      500. This can be dropped in 1.4.3.
    - https://code.djangoproject.com/ticket/19172
    - LP: #1080204
 -- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 16:10:39 -0600

Changed in python-django (Ubuntu Raring):
status: Fix Committed → Fix Released
Changed in python-django (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3.1-4ubuntu1.4

---------------
python-django (1.3.1-4ubuntu1.4) precise-security; urgency=low

  * Add additional tests for CVE-2012-4520
    - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
      host header test material
  * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
    - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
    - https://code.djangoproject.com/ticket/19172
    - LP: #1080204
 -- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 15:12:35 -0600

Changed in python-django (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.1.1-2ubuntu1.7

---------------
python-django (1.1.1-2ubuntu1.7) lucid-security; urgency=low

  * Add additional tests for CVE-2012-4520
    - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
      host header test material
  * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
    - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
    - https://code.djangoproject.com/ticket/19172
    - LP: #1080204
 -- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 15:20:21 -0600

Changed in python-django (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.4.1-2ubuntu0.2

---------------
python-django (1.4.1-2ubuntu0.2) quantal-security; urgency=low

  * Add additional tests for CVE-2012-4520
    - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
      host header test material
  * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
    - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
    - https://code.djangoproject.com/ticket/19172
    - LP: #1080204
 -- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 14:16:05 -0600

Changed in python-django (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-django - 1.3-2ubuntu1.5

---------------
python-django (1.3-2ubuntu1.5) oneiric-security; urgency=low

  * Add additional tests for CVE-2012-4520
    - debian/patches/CVE-2012-4520-additional-tests.diff: add various poisoned
      host header test material
  * Don't fail self-tests if MANAGERS or ADMINS is defined in settings.py
    - debian/patches/lp1080204.diff: Isolate poisoned_http_host tests from 500
    - https://code.djangoproject.com/ticket/19172
    - LP: #1080204
 -- Jamie Strandboge <email address hidden> Mon, 19 Nov 2012 15:16:25 -0600

Changed in python-django (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in python-django (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.