Changes 1.2.2:

As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.

3 files changed, 44 insertions, 7 deletions

diff --git a/www/py-django/Makefile b/www/py-django/Makefile
index 0126fe46b4a..b024a17d23a 100644
--- a/www/py-django/Makefile
+++ b/www/py-django/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.25 2010/06/16 19:08:37 joerg Exp $
+# $NetBSD: Makefile,v 1.26 2010/09/09 13:34:04 adam Exp $
 
-DJANGOVERS=	1.2.1
+DJANGOVERS=	1.2.2
 DISTNAME=	Django-${DJANGOVERS}
 PKGNAME=	${PYPKGPREFIX}-django-${DJANGOVERS}
 CATEGORIES=	www python
diff --git a/www/py-django/PLIST b/www/py-django/PLIST
index 4228ea4dd21..f5556f77294 100644
--- a/www/py-django/PLIST
+++ b/www/py-django/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.16 2010/06/16 19:08:37 joerg Exp $
+@comment $NetBSD: PLIST,v 1.17 2010/09/09 13:34:04 adam Exp $
 bin/django-admin.py
 ${PYSITELIB}/django/__init__.py
 ${PYSITELIB}/django/__init__.pyc
@@ -416,6 +416,16 @@ ${PYSITELIB}/django/conf/locale/mk/__init__.pyo
 ${PYSITELIB}/django/conf/locale/mk/formats.py
 ${PYSITELIB}/django/conf/locale/mk/formats.pyc
 ${PYSITELIB}/django/conf/locale/mk/formats.pyo
+${PYSITELIB}/django/conf/locale/ml/LC_MESSAGES/django.mo
+${PYSITELIB}/django/conf/locale/ml/LC_MESSAGES/django.po
+${PYSITELIB}/django/conf/locale/ml/LC_MESSAGES/djangojs.mo
+${PYSITELIB}/django/conf/locale/ml/LC_MESSAGES/djangojs.po
+${PYSITELIB}/django/conf/locale/ml/__init__.py
+${PYSITELIB}/django/conf/locale/ml/__init__.pyc
+${PYSITELIB}/django/conf/locale/ml/__init__.pyo
+${PYSITELIB}/django/conf/locale/ml/formats.py
+${PYSITELIB}/django/conf/locale/ml/formats.pyc
+${PYSITELIB}/django/conf/locale/ml/formats.pyo
 ${PYSITELIB}/django/conf/locale/mn/LC_MESSAGES/django.mo
 ${PYSITELIB}/django/conf/locale/mn/LC_MESSAGES/django.po
 ${PYSITELIB}/django/conf/locale/mn/LC_MESSAGES/djangojs.mo
@@ -1110,6 +1120,21 @@ ${PYSITELIB}/django/contrib/flatpages/middleware.pyo
 ${PYSITELIB}/django/contrib/flatpages/models.py
 ${PYSITELIB}/django/contrib/flatpages/models.pyc
 ${PYSITELIB}/django/contrib/flatpages/models.pyo
+${PYSITELIB}/django/contrib/flatpages/tests/__init__.py
+${PYSITELIB}/django/contrib/flatpages/tests/__init__.pyc
+${PYSITELIB}/django/contrib/flatpages/tests/__init__.pyo
+${PYSITELIB}/django/contrib/flatpages/tests/csrf.py
+${PYSITELIB}/django/contrib/flatpages/tests/csrf.pyc
+${PYSITELIB}/django/contrib/flatpages/tests/csrf.pyo
+${PYSITELIB}/django/contrib/flatpages/tests/middleware.py
+${PYSITELIB}/django/contrib/flatpages/tests/middleware.pyc
+${PYSITELIB}/django/contrib/flatpages/tests/middleware.pyo
+${PYSITELIB}/django/contrib/flatpages/tests/urls.py
+${PYSITELIB}/django/contrib/flatpages/tests/urls.pyc
+${PYSITELIB}/django/contrib/flatpages/tests/urls.pyo
+${PYSITELIB}/django/contrib/flatpages/tests/views.py
+${PYSITELIB}/django/contrib/flatpages/tests/views.pyc
+${PYSITELIB}/django/contrib/flatpages/tests/views.pyo
 ${PYSITELIB}/django/contrib/flatpages/urls.py
 ${PYSITELIB}/django/contrib/flatpages/urls.pyc
 ${PYSITELIB}/django/contrib/flatpages/urls.pyo
@@ -2139,8 +2164,20 @@ ${PYSITELIB}/django/contrib/sitemaps/management/commands/__init__.pyo
 ${PYSITELIB}/django/contrib/sitemaps/management/commands/ping_google.py
 ${PYSITELIB}/django/contrib/sitemaps/management/commands/ping_google.pyc
 ${PYSITELIB}/django/contrib/sitemaps/management/commands/ping_google.pyo
+${PYSITELIB}/django/contrib/sitemaps/models.py
+${PYSITELIB}/django/contrib/sitemaps/models.pyc
+${PYSITELIB}/django/contrib/sitemaps/models.pyo
 ${PYSITELIB}/django/contrib/sitemaps/templates/sitemap.xml
 ${PYSITELIB}/django/contrib/sitemaps/templates/sitemap_index.xml
+${PYSITELIB}/django/contrib/sitemaps/tests/__init__.py
+${PYSITELIB}/django/contrib/sitemaps/tests/__init__.pyc
+${PYSITELIB}/django/contrib/sitemaps/tests/__init__.pyo
+${PYSITELIB}/django/contrib/sitemaps/tests/basic.py
+${PYSITELIB}/django/contrib/sitemaps/tests/basic.pyc
+${PYSITELIB}/django/contrib/sitemaps/tests/basic.pyo
+${PYSITELIB}/django/contrib/sitemaps/tests/urls.py
+${PYSITELIB}/django/contrib/sitemaps/tests/urls.pyc
+${PYSITELIB}/django/contrib/sitemaps/tests/urls.pyo
 ${PYSITELIB}/django/contrib/sitemaps/views.py
 ${PYSITELIB}/django/contrib/sitemaps/views.pyc
 ${PYSITELIB}/django/contrib/sitemaps/views.pyo
diff --git a/www/py-django/distinfo b/www/py-django/distinfo
index 3936e294a7c..aa951b71469 100644
--- a/www/py-django/distinfo
+++ b/www/py-django/distinfo
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.13 2010/06/16 19:08:37 joerg Exp $
+$NetBSD: distinfo,v 1.14 2010/09/09 13:34:05 adam Exp $
 
-SHA1 (Django-1.2.1.tar.gz) = 1b5655f300d7333be06289451723dc5260a9944c
-RMD160 (Django-1.2.1.tar.gz) = 25904c6f450e88404256f951ee39cb6b39de5f76
-Size (Django-1.2.1.tar.gz) = 6248006 bytes
+SHA1 (Django-1.2.2.tar.gz) = f83f5c6d84a82637769996d16f183adb1c182b30
+RMD160 (Django-1.2.2.tar.gz) = 535a0bc9c6ba7ab6cbdc9c70bcc0b19df1e67716
+Size (Django-1.2.2.tar.gz) = 6304356 bytes