Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 895332 Details for
Bug 1097500
CVE-2014-1418 Django: cached data possibly served to the wrong session
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
upstream fix
drop_fix_ie_for_vary.diff (text/plain), 5.70 KB, created by
Murray McAllister
on 2014-05-14 03:20:07 UTC
(
hide
)
Description:
upstream fix
Filename:
MIME Type:
Creator:
Murray McAllister
Created:
2014-05-14 03:20:07 UTC
Size:
5.70 KB
patch
obsolete
>diff --git a/django/core/handlers/base.py b/django/core/handlers/base.py >index 5d6b364..ffc48a0 100644 >--- a/django/core/handlers/base.py >+++ b/django/core/handlers/base.py >@@ -23,8 +23,6 @@ class BaseHandler(object): > response_fixes = [ > http.fix_location_header, > http.conditional_content_removal, >- http.fix_IE_for_attach, >- http.fix_IE_for_vary, > ] > > def __init__(self): >diff --git a/django/http/__init__.py b/django/http/__init__.py >index 5895c5e..fc5bd18 100644 >--- a/django/http/__init__.py >+++ b/django/http/__init__.py >@@ -6,8 +6,7 @@ from django.http.response import (HttpResponse, StreamingHttpResponse, > HttpResponseNotModified, HttpResponseBadRequest, HttpResponseForbidden, > HttpResponseNotFound, HttpResponseNotAllowed, HttpResponseGone, > HttpResponseServerError, Http404, BadHeaderError, JsonResponse) >-from django.http.utils import (fix_location_header, >- conditional_content_removal, fix_IE_for_attach, fix_IE_for_vary) >+from django.http.utils import fix_location_header, conditional_content_removal > > __all__ = [ > 'SimpleCookie', 'parse_cookie', 'HttpRequest', 'QueryDict', >@@ -17,5 +16,5 @@ __all__ = [ > 'HttpResponseBadRequest', 'HttpResponseForbidden', 'HttpResponseNotFound', > 'HttpResponseNotAllowed', 'HttpResponseGone', 'HttpResponseServerError', > 'Http404', 'BadHeaderError', 'fix_location_header', 'JsonResponse', >- 'conditional_content_removal', 'fix_IE_for_attach', 'fix_IE_for_vary', >+ 'conditional_content_removal', > ] >diff --git a/django/http/utils.py b/django/http/utils.py >index 68011ab..90155cd 100644 >--- a/django/http/utils.py >+++ b/django/http/utils.py >@@ -39,58 +39,3 @@ def conditional_content_removal(request, response): > else: > response.content = b'' > return response >- >- >-def fix_IE_for_attach(request, response): >- """ >- This function will prevent Django from serving a Content-Disposition header >- while expecting the browser to cache it (only when the browser is IE). This >- leads to IE not allowing the client to download. >- """ >- useragent = request.META.get('HTTP_USER_AGENT', '').upper() >- if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent: >- return response >- >- offending_headers = ('no-cache', 'no-store') >- if response.has_header('Content-Disposition'): >- try: >- del response['Pragma'] >- except KeyError: >- pass >- if response.has_header('Cache-Control'): >- cache_control_values = [value.strip() for value in >- response['Cache-Control'].split(',') >- if value.strip().lower() not in offending_headers] >- >- if not len(cache_control_values): >- del response['Cache-Control'] >- else: >- response['Cache-Control'] = ', '.join(cache_control_values) >- >- return response >- >- >-def fix_IE_for_vary(request, response): >- """ >- This function will fix the bug reported at >- http://support.microsoft.com/kb/824847/en-us?spid=8722&sid=global >- by clearing the Vary header whenever the mime-type is not safe >- enough for Internet Explorer to handle. Poor thing. >- """ >- useragent = request.META.get('HTTP_USER_AGENT', '').upper() >- if 'MSIE' not in useragent and 'CHROMEFRAME' not in useragent: >- return response >- >- # These mime-types that are decreed "Vary-safe" for IE: >- safe_mime_types = ('text/html', 'text/plain', 'text/sgml') >- >- # The first part of the Content-Type field will be the MIME type, >- # everything after ';', such as character-set, can be ignored. >- mime_type = response.get('Content-Type', '').partition(';')[0] >- if mime_type not in safe_mime_types: >- try: >- del response['Vary'] >- except KeyError: >- pass >- >- return response >diff --git a/tests/utils_tests/test_http.py b/tests/utils_tests/test_http.py >index 9f6bcce..6a91bdf 100644 >--- a/tests/utils_tests/test_http.py >+++ b/tests/utils_tests/test_http.py >@@ -67,50 +67,6 @@ class TestUtilsHttp(unittest.TestCase): > ] > self.assertTrue(result in acceptable_results) > >- def test_fix_IE_for_vary(self): >- """ >- Regression for #16632. >- >- `fix_IE_for_vary` shouldn't crash when there's no Content-Type header. >- """ >- >- # functions to generate responses >- def response_with_unsafe_content_type(): >- r = HttpResponse(content_type="text/unsafe") >- r['Vary'] = 'Cookie' >- return r >- >- def no_content_response_with_unsafe_content_type(): >- # 'Content-Type' always defaulted, so delete it >- r = response_with_unsafe_content_type() >- del r['Content-Type'] >- return r >- >- # request with & without IE user agent >- rf = RequestFactory() >- request = rf.get('/') >- ie_request = rf.get('/', HTTP_USER_AGENT='MSIE') >- >- # not IE, unsafe_content_type >- response = response_with_unsafe_content_type() >- utils.fix_IE_for_vary(request, response) >- self.assertTrue('Vary' in response) >- >- # IE, unsafe_content_type >- response = response_with_unsafe_content_type() >- utils.fix_IE_for_vary(ie_request, response) >- self.assertFalse('Vary' in response) >- >- # not IE, no_content >- response = no_content_response_with_unsafe_content_type() >- utils.fix_IE_for_vary(request, response) >- self.assertTrue('Vary' in response) >- >- # IE, no_content >- response = no_content_response_with_unsafe_content_type() >- utils.fix_IE_for_vary(ie_request, response) >- self.assertFalse('Vary' in response) >- > def test_base36(self): > # reciprocity works > for n in [0, 1, 1000, 1000000]:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=895332">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1097500
: 895332 |
895333
|
895334
|
895335