Django security releases issued: 3.0.1, 2.2.9, and 1.11.27

[Mariusz Felisiak]

Details are available on the Django project weblog:

https://www.djangoproject.com/weblog/2019/dec/18/security-releases/

[Sam Willis]

Hi,

It looks to me like this has introduced a slight behaviour difference with 1.11 on python 2.7 than on 3.x:

https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2#diff-e840e362abe9e625eee52d91897400bdR36

The release notes don't indicate what the difference in behaviour is between python 2 and 3.

I'm trying to follow the change and test cases but it looks like if you have two users 'mi...@example.org' and 'mık...@example.org' (which is highly unlikely anyway to happen legitimately) neither can reset their password anymore on py2?

See:  https://github.com/django/django/commit/f4cff43bf921fcea6a29b726eb66767f67753fa2#diff-d4ef44f66fdc7127c6178eee0fdcaf57R697 

I'm guessing this was found after the similar GitHub vulnerability was found?

Thanks for the hard work!

[Markus Holtermann]

Thanks for checking and asking!

On Python 2, the email address with "i without dot" isn't a valid email address according to the EmailValidator and thus shouldn't be in your database in the first place.

Cheers,

/Markus

> --
> You received this message because you are subscribed to the Google
> Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-develop...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/5cde448c-7631-472f-857f-168bd872fe3e%40googlegroups.com <https://groups.google.com/d/msgid/django-developers/5cde448c-7631-472f-857f-168bd872fe3e%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Dirk Groten]

I've been looking in more detail into this issue, as some other Django packages are affected also by this issue. Now, when I run the tests that are provided with this fix using SQLite, the issue does not occur, whereas it does happen for PostgreSQL (I haven't tested for MySQL). Is it correct that in Postgres, `User.objects.filter(email__iexact='mık...@example.org')` will match a user with email "mi...@example.org" but SQLite won't find a match? And if so, why is that? Is it dependent on specific Postgres settings?

[Carlton Gibson]

HI Dirk. 

You're correct, the issue doesn't appear to arise on SQLite. Pass on exactly why right now. Maybe there's some PostgreSQL setting that might avoid it but, in general, it's not dependent on specific PostgreSQL settings. 

Kind Regards,

Carlton

[Mariusz Felisiak]

SQLite's only does an exact match, so it's not affected by Unicode Case Mapping Collisions.

[Hanne Moa]

This depends on the collation that is used
<https://en.wikipedia.org/wiki/Unicode_collation_algorithm>. On a
system sorting everything as if it was Turkish, "ı" and "i" would be
considered two different letters, but I guess everywhere else they
would be merged into "i".

> --
> You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/7ebbc544-c113-478b-9417-7f714fef783e%40googlegroups.com.