From 6eefa521be3c658dc0b38f8d62d52e9801e198ab Mon Sep 17 00:00:00 2001 From: James Bennett Date: Wed, 16 Aug 2006 06:29:22 +0000 Subject: [PATCH 3/8] 0.90-fixes: Fixed minor security hole in compile-messages.py. See trunk patch in [3592] git-svn-id: http://code.djangoproject.com/svn/django/branches/0.90-bugfixes@3594 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/bin/compile-messages.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/django/bin/compile-messages.py b/django/bin/compile-messages.py index 0b5127f6b2..79d5ff17b2 100755 --- a/django/bin/compile-messages.py +++ b/django/bin/compile-messages.py @@ -19,6 +19,13 @@ for (dirpath, dirnames, filenames) in os.walk(basedir): if file.endswith('.po'): sys.stderr.write('processing file %s in %s\n' % (file, dirpath)) pf = os.path.splitext(os.path.join(dirpath, file))[0] - cmd = 'msgfmt -o %s.mo %s.po' % (pf, pf) + # Store the names of the .mo and .po files in an environment + # variable, rather than doing a string replacement into the + # command, so that we can take advantage of shell quoting, to + # quote any malicious characters/escaping. + # See http://cyberelk.net/tim/articles/cmdline/ar01s02.html + os.environ['djangocompilemo'] = pf + '.mo' + os.environ['djangocompilepo'] = pf + '.po' + cmd = 'msgfmt -o "$djangocompilemo" "$djangocompilepo"' os.system(cmd) -- 2.34.1 From b2f1f380b31a029c7f2882ff1ebeb6f044a02381 Mon Sep 17 00:00:00 2001 From: James Bennett Date: Tue, 5 Sep 2006 16:04:23 +0000 Subject: [PATCH 4/8] 0.90-bugfixes: fix a problem on mod_python that could result in stale DB connections git-svn-id: http://code.djangoproject.com/svn/django/branches/0.90-bugfixes@3726 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/core/handlers/modpython.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/django/core/handlers/modpython.py b/django/core/handlers/modpython.py index e52879065f..0c65a86ae3 100644 --- a/django/core/handlers/modpython.py +++ b/django/core/handlers/modpython.py @@ -137,13 +137,12 @@ class ModPythonHandler(BaseHandler): try: request = ModPythonRequest(req) response = self.get_response(req.uri, request) + # Apply response middleware + for middleware_method in self._response_middleware: + response = middleware_method(request, response) finally: db.db.close() - # Apply response middleware - for middleware_method in self._response_middleware: - response = middleware_method(request, response) - # Convert our custom HttpResponse object back into the mod_python req. populate_apache_request(response, req) return 0 # mod_python.apache.OK -- 2.34.1 From 4f5fb9f5dbf67401d2820252532179d7a4f5ac00 Mon Sep 17 00:00:00 2001 From: James Bennett Date: Tue, 5 Sep 2006 16:36:44 +0000 Subject: [PATCH 5/8] 0.90-bugfixes: changes in the README to provide more useful info on the branch and how it relates to Django proper git-svn-id: http://code.djangoproject.com/svn/django/branches/0.90-bugfixes@3730 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- README | 59 ++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 35 insertions(+), 24 deletions(-) diff --git a/README b/README index d52451d3ba..13afd5fea2 100644 --- a/README +++ b/README @@ -1,37 +1,48 @@ -Django is a high-level Python Web framework that encourages rapid development -and clean, pragmatic design. +Django is a high-level Python Web framework that encourages rapid +development and clean, pragmatic design. -All documentation is in the "docs" directory and online at -http://www.djangoproject.com/documentation/. If you're just getting started, -here's how we recommend you read the docs: - * First, read docs/install.txt for instructions on installing Django. +About this version +================== - * Next, work through the tutorials in order (docs/tutorial01.txt, - docs/tutorial02.txt, etc.). +This is the Django 0.90 "bugfixes" branch, which is intended to +provide bugfix and patch support for users of Django 0.90 who have not +been able to migrate to a more recent version. No new features will be +added in this branch, and it is maintained solely as a means of +providing support to legacy Django installations. - * If you want to set up an actual deployment server, read docs/modpython.txt - for instructions on running Django under mod_python. +If you're completely new to Django we highly recommend that you use +either the latest stable release or a Subversion checkout from +Django's trunk; Django is always evolving, and the latest and greatest +features are only available to users of newer versions of the +framework. - * The rest of the documentation is of the reference-manual variety. - Read it -- and the FAQ -- as you run into problems. -Docs are updated rigorously. If you find any problems in the docs, or think they -should be clarified in any way, please take 30 seconds to fill out a ticket -here: +More information +================ -http://code.djangoproject.com/newticket +The complete history of bugs fixed in this branch can be viewed online +at http://code.djangoproject.com/log/django/branches/0.90-bugfixes. -To get more help: +We also recommend that users of this branch subscribe to the +"django-announce" mailing list, a low-traffic, announcements-only list +which will send messages whenever an important (i.e., +security-related) bug is fixed. You can subscribe to the list via +Google Groups at http://groups.google.com/group/django-announce. - * Join the #django channel on irc.freenode.net. Lots of helpful people - hang out there. Read the archives at http://loglibrary.com/179 . +The documentation for this version of Django has been frozen, and is +available online at http://www.djangoproject.com/documentation/0_90/. - * Join the django-users mailing list, or read the archives, at - http://groups-beta.google.com/group/django-users. -To contribute to Django: +Submitting bugs +=============== - * Check out http://www.djangoproject.com/community/ for information - about getting involved. +If you run into a bug in Django 0.90, please search the Django ticket +database to see if the issue has already been reported; if not, please +head over to http://code.djangoproject.com/newticket and file a new +ticket with as much information about the bug as you can provide. +If you're running into a bug which has been reported but not fixed, +feel free to update the ticket with any additional information you +have, and to assign it to 'ubernostrum' (AKA James Bennett, the +maintainer of this branch). -- 2.34.1 From 56075c08c3bcd42a03b173aaed48af238393be12 Mon Sep 17 00:00:00 2001 From: James Bennett Date: Tue, 2 Jan 2007 19:47:10 +0000 Subject: [PATCH 6/8] 0.90-bugfixes: backport [2238]. Refs #1148 git-svn-id: http://code.djangoproject.com/svn/django/branches/0.90-bugfixes@4270 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/core/meta/__init__.py | 4 ++-- django/core/meta/fields.py | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/django/core/meta/__init__.py b/django/core/meta/__init__.py index 328a2f449c..9b11b3a6cc 100644 --- a/django/core/meta/__init__.py +++ b/django/core/meta/__init__.py @@ -1126,9 +1126,9 @@ def _get_where_clause(lookup_type, table_prefix, field_name, value): pass if lookup_type == 'in': return '%s%s IN (%s)' % (table_prefix, field_name, ','.join(['%s' for v in value])) - elif lookup_type in ('range', 'year'): + elif lookup_type == 'range': return '%s%s BETWEEN %%s AND %%s' % (table_prefix, field_name) - elif lookup_type in ('month', 'day'): + elif lookup_type in ('year', 'month', 'day'): return "%s = %%s" % db.get_date_extract_sql(lookup_type, table_prefix + field_name) elif lookup_type == 'isnull': return "%s%s IS %sNULL" % (table_prefix, field_name, (not value and 'NOT ' or '')) diff --git a/django/core/meta/fields.py b/django/core/meta/fields.py index 06403f0a31..68410d5630 100644 --- a/django/core/meta/fields.py +++ b/django/core/meta/fields.py @@ -157,12 +157,10 @@ class Field(object): def get_db_prep_lookup(self, lookup_type, value): "Returns field's value prepared for database lookup." - if lookup_type in ('exact', 'gt', 'gte', 'lt', 'lte', 'ne', 'month', 'day'): + if lookup_type in ('exact', 'gt', 'gte', 'lt', 'lte', 'ne', 'year', 'month', 'day'): return [value] elif lookup_type in ('range', 'in'): return value - elif lookup_type == 'year': - return ['%s-01-01' % value, '%s-12-31' % value] elif lookup_type in ('contains', 'icontains'): return ["%%%s%%" % prep_for_like_query(value)] elif lookup_type == 'iexact': -- 2.34.1 From 78217bfc3a22edac3986bd11035b9bff3c186bc9 Mon Sep 17 00:00:00 2001 From: James Bennett Date: Wed, 24 Jan 2007 19:55:43 +0000 Subject: [PATCH 7/8] 0.90-bugfixes: Backporting [4244] for those using legacy Django with psycopg1 git-svn-id: http://code.djangoproject.com/svn/django/branches/0.90-bugfixes@4418 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/core/db/backends/postgresql.py | 33 +++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/django/core/db/backends/postgresql.py b/django/core/db/backends/postgresql.py index b1b2d9cb52..fa587f01ca 100644 --- a/django/core/db/backends/postgresql.py +++ b/django/core/db/backends/postgresql.py @@ -9,6 +9,38 @@ import psycopg as Database DatabaseError = Database.DatabaseError +def smart_basestring(s, charset): + if isinstance(s, unicode): + return s.encode(charset) + return s + +class UnicodeCursorWrapper(object): + """ + A thin wrapper around psycopg cursors that allows them to accept Unicode + strings as params. + + This is necessary because psycopg doesn't apply any DB quoting to + parameters that are Unicode strings. If a param is Unicode, this will + convert it to a bytestring using DEFAULT_CHARSET before passing it to + psycopg. + """ + def __init__(self, cursor, charset): + self.cursor = cursor + self.charset = charset + + def execute(self, sql, params=()): + return self.cursor.execute(sql, [smart_basestring(p, self.charset) for p in params]) + + def executemany(self, sql, param_list): + new_param_list = [tuple([smart_basestring(p, self.charset) for p in params]) for params in param_list] + return self.cursor.executemany(sql, new_param_list) + + def __getattr__(self, attr): + if self.__dict__.has_key(attr): + return self.__dict__[attr] + else: + return getattr(self.cursor, attr) + class DatabaseWrapper: def __init__(self): self.connection = None @@ -33,6 +65,7 @@ class DatabaseWrapper: self.connection.set_isolation_level(1) # make transactions transparent to all cursors cursor = self.connection.cursor() cursor.execute("SET TIME ZONE %s", [TIME_ZONE]) + cursor = UnicodeCursorWrapper(cursor, settings.DEFAULT_CHARSET) if DEBUG: return base.CursorDebugWrapper(cursor, self) return cursor -- 2.34.1 From eb97c80010dc50d42cf3af7fe8aeaff22beb5b64 Mon Sep 17 00:00:00 2001 From: James Bennett Date: Tue, 30 Jan 2007 19:04:57 +0000 Subject: [PATCH 8/8] 0.90-bugfixes: fix for backport in [4418] git-svn-id: http://code.djangoproject.com/svn/django/branches/0.90-bugfixes@4452 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/core/db/backends/postgresql.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/django/core/db/backends/postgresql.py b/django/core/db/backends/postgresql.py index fa587f01ca..98657e2358 100644 --- a/django/core/db/backends/postgresql.py +++ b/django/core/db/backends/postgresql.py @@ -47,7 +47,7 @@ class DatabaseWrapper: self.queries = [] def cursor(self): - from django.conf.settings import DATABASE_USER, DATABASE_NAME, DATABASE_HOST, DATABASE_PORT, DATABASE_PASSWORD, DEBUG, TIME_ZONE + from django.conf.settings import DATABASE_USER, DATABASE_NAME, DATABASE_HOST, DATABASE_PORT, DATABASE_PASSWORD, DEBUG, DEFAULT_CHARSET, TIME_ZONE if self.connection is None: if DATABASE_NAME == '': from django.core.exceptions import ImproperlyConfigured @@ -65,7 +65,7 @@ class DatabaseWrapper: self.connection.set_isolation_level(1) # make transactions transparent to all cursors cursor = self.connection.cursor() cursor.execute("SET TIME ZONE %s", [TIME_ZONE]) - cursor = UnicodeCursorWrapper(cursor, settings.DEFAULT_CHARSET) + cursor = UnicodeCursorWrapper(cursor, DEFAULT_CHARSET) if DEBUG: return base.CursorDebugWrapper(cursor, self) return cursor -- 2.34.1