File 0004-1.5.x-Fixed-DoS-possibility-in-ModelMultip... of Package python-django.openSUSE_13.1_Update

Overview Repositories Revisions Requests Users Attributes Meta

File 0004-1.5.x-Fixed-DoS-possibility-in-ModelMultipleChoiceFi.patch of Package python-django.openSUSE_13.1_Update

From 8d6dfa690412465cf41b2524d84d727e121a8576 Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Thu, 11 Dec 2014 08:31:03 -0500
Subject: [PATCH 4/4] [1.5.x] Fixed DoS possibility in
 ModelMultipleChoiceField. (bnc#913055, CVE-2015-0222)

This is a security fix.
Database denial-of-service with ``ModelMultipleChoiceField``.
Full description <https://www.djangoproject.com/weblog/2015/jan/13/security/>

Thanks Keryn Knight for the report and initial patch.

cherry-picked-from: d7a06ee7e571b6dad07c0f5b519b1db02e2a476c
by aplanas

Conflicts:
	django/forms/models.py
---
 django/forms/models.py                | 25 ++++++++++++++++++++++---
 tests/modeltests/model_forms/tests.py | 21 +++++++++++++++++++++
 2 files changed, 43 insertions(+), 3 deletions(-)

diff --git a/django/forms/models.py b/django/forms/models.py
index 1e7888a..f0a6dfc 100644
--- a/django/forms/models.py
+++ b/django/forms/models.py
@@ -1039,7 +1039,29 @@ class ModelMultipleChoiceField(ModelChoiceField):
             return self.queryset.none()
         if not isinstance(value, (list, tuple)):
             raise ValidationError(self.error_messages['list'])
+        qs = self._check_values(value)
+        # Since this overrides the inherited ModelChoiceField.clean
+        # we run custom validators here
+        self.run_validators(value)
+        return qs
+
+    def _check_values(self, value):
+        """
+        Given a list of possible PK values, returns a QuerySet of the
+        corresponding objects. Raises a ValidationError if a given value is
+        invalid (not a valid PK, not in the queryset, etc.)
+        """
         key = self.to_field_name or 'pk'
+        # deduplicate given values to avoid creating many querysets or
+        # requiring the database backend deduplicate efficiently.
+        try:
+            value = frozenset(value)
+        except TypeError:
+            # list of lists isn't hashable, for example
+            raise ValidationError(
+                self.error_messages['list'],
+                code='list',
+            )
         for pk in value:
             try:
                 self.queryset.filter(**{key: pk})
@@ -1050,9 +1072,6 @@ class ModelMultipleChoiceField(ModelChoiceField):
         for val in value:
             if force_text(val) not in pks:
                 raise ValidationError(self.error_messages['invalid_choice'] % val)
-        # Since this overrides the inherited ModelChoiceField.clean
-        # we run custom validators here
-        self.run_validators(value)
         return qs
 
     def prepare_value(self, value):
diff --git a/tests/modeltests/model_forms/tests.py b/tests/modeltests/model_forms/tests.py
index d8f2f76..424f971 100644
--- a/tests/modeltests/model_forms/tests.py
+++ b/tests/modeltests/model_forms/tests.py
@@ -1150,6 +1150,27 @@ class OldFormForXTests(TestCase):
 </select></p>
 <p><label for="id_age">Age:</label> <input type="text" name="age" value="65" id="id_age" /></p>''' % (w_woodward.pk, w_bernstein.pk, bw.pk, w_royko.pk))
 
+    def test_show_hidden_initial_changed_queries_efficiently(self):
+        class WriterForm(forms.Form):
+            persons = forms.ModelMultipleChoiceField(
+                show_hidden_initial=True, queryset=Writer.objects.all())
+
+        writers = (Writer.objects.create(name=str(x)) for x in range(0, 50))
+        writer_pks = tuple(x.pk for x in writers)
+        form = WriterForm(data={'initial-persons': writer_pks})
+        with self.assertNumQueries(1):
+            self.assertTrue(form.has_changed())
+
+    def test_clean_does_deduplicate_values(self):
+        class WriterForm(forms.Form):
+            persons = forms.ModelMultipleChoiceField(queryset=Writer.objects.all())
+
+        person1 = Writer.objects.create(name="Person 1")
+        form = WriterForm(data={})
+        queryset = form.fields['persons'].clean([str(person1.pk)] * 50)
+        sql, params = queryset.query.sql_with_params()
+        self.assertEqual(len(params), 1)
+
     def test_file_field(self):
         # Test conditions when files is either not given or empty.
 
-- 
1.8.1.4

Places

File 0004-1.5.x-Fixed-DoS-possibility-in-ModelMultipleChoiceFi.patch of Package python-django.openSUSE_13.1_Update

Places