8000 [1.9.x] Fixed CVE-2016-9013 -- Generated a random database user passw… · django/django@4844d86 · GitHub
[go: up one dir, main page]
Skip to content

Commit 4844d86

Browse files
intgrtimgraham
intgr
authored and
timgraham
committed
[1.9.x] Fixed CVE-2016-9013 -- Generated a random database user password when running tests on Oracle.
This is a security fix.
1 parent 2ed85c1 commit 4844d86

File tree

4 files changed

+46
-5
lines changed

4 files changed

+46
-5
lines changed

django/db/backends/oracle/creation.py

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,11 @@
44
from django.conf import settings
55
from django.db.backends.base.creation import BaseDatabaseCreation
66
from django.db.utils import DatabaseError
7+
from django.utils.crypto import get_random_string
78
from django.utils.functional import cached_property
89
from django.utils.six.moves import input
910

1011
TEST_DATABASE_PREFIX = 'test_'
11-
PASSWORD = 'Im_a_lumberjack'
1212

1313

1414
class DatabaseCreation(BaseDatabaseCreation):
@@ -223,7 +223,11 @@ def _create_test_user(self, cursor, parameters, verbosity, keepdb=False):
223223
]
224224
# Ignore "user already exists" error when keepdb is on
225225
acceptable_ora_err = 'ORA-01920' if keepdb else None
226-
self._execute_allow_fail_statements(cursor, statements, parameters, verbosity, acceptable_ora_err)
226+
success = self._execute_allow_fail_statements(cursor, statements, parameters, verbosity, acceptable_ora_err)
227+
# If the password was randomly generated, change the user accordingly.
228+
if not success and self._test_settings_get('PASSWORD') is None:
229+
set_password = "ALTER USER %(user)s IDENTIFIED BY %(password)s"
230+
self._execute_statements(cursor, [set_password], parameters, verbosity)
227231
# Most test-suites can be run without the create-view privilege. But some need it.
228232
extra = "GRANT CREATE VIEW TO %(user)s"
229233
success = self._execute_allow_fail_statements(cursor, [extra], parameters, verbosity, 'ORA-01031')
@@ -298,7 +302,7 @@ def _test_settings_get(self, key, default=None, prefixed=None):
298302
"""
299303
settings_dict = self.connection.settings_dict
300304
val = settings_dict['TEST'].get(key, default)
301-
if val is None:
305+
if val is None and prefixed:
302306
val = TEST_DATABASE_PREFIX + settings_dict[prefixed]
303307
return val
304308

@@ -315,7 +319,11 @@ def _test_database_user(self):
315319
return self._test_settings_get('USER', prefixed='USER')
316320

317321
def _test_database_passwd(self):
318-
return self._test_settings_get('PASSWORD', default=PASSWORD)
322+
password = self._test_settings_get('PASSWORD')
323+
if password is None and self._test_user_create():
324+
# Oracle passwords are limited to 30 chars and can't contain symbols.
325+
password = get_random_string(length=30)
326+
return password
319327

320328
def _test_database_tblspace(self):
321329
return self._test_settings_get('TBLSPACE', prefixed='USER')

docs/ref/settings.txt

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -814,7 +814,12 @@ Default: ``None``
814814
This is an Oracle-specific setting.
815815

816816
The password to use when connecting to the Oracle database that will be used
817-
when running tests. If not provided, Django will use a hardcoded default value.
817+
when running tests. If not provided, Django will generate a random password.
818+
819+
.. versionchanged:: 1.9.11
820+
821+
Older versions used a hardcoded default password. This was also changed
822+
in 1.8.16 to fix possible security implications.
818823

819824
.. setting:: TEST_TBLSPACE
820825

docs/releases/1.8.16.txt

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,17 @@ Django 1.8.16 release notes
55
*November 1, 2016*
66

77
Django 1.8.16 fixes two security issues in 1.8.15.
8+
9+
User with hardcoded password created when running tests on Oracle
10+
=================================================================
11+
12+
When running tests with an Oracle database, Django creates a temporary database
13+
user. In older versions, if a password isn't manually specified in the database
14+
settings ``TEST`` dictionary, a hardcoded password is used. This could allow
15+
an attacker with network access to the database server to connect.
16+
17+
This user is usually dropped after the test suite completes, but not when using
18+
the ``manage.py test --keepdb`` option or if the user has an active session
19+
(such as an attacker's connection).
20+
21+
A randomly generated password is now used for each test run.

docs/releases/1.9.11.txt

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,3 +5,17 @@ Django 1.9.11 release notes
55
*November 1, 2016*
66

77
Django 1.9.11 fixes two security issues in 1.9.10.
8+
9+
User with hardcoded password created when running tests on Oracle
10+
=================================================================
11+
12+
When running tests with an Oracle database, Django creates a temporary database
13+
user. In older versions, if a password isn't manually specified in the database
14+
settings ``TEST`` dictionary, a hardcoded password is used. This could allow
15+
an attacker with network access to the database server to connect.
16+
17+
This user is usually dropped after the test suite completes, but not when using
18+
the ``manage.py test --keepdb`` option or if the user has an active session
19+
(such as an attacker's connection).
20+
21+
A randomly generated password is now used for each test run.

0 commit comments

Comments
 (0)
0