+31
-5
lines changedFilter options
+31
-5
lines changed Original file line number Diff line number Diff line change
@@ -4,10 +4,10 @@
4 4
from django.conf import settings
5 5
from django.db.backends.base.creation import BaseDatabaseCreation
6 6
from django.db.utils import DatabaseError
7 +
from django.utils.crypto import get_random_string
7 8
from django.utils.six.moves import input
8 9 9 10
TEST_DATABASE_PREFIX = 'test_'
10 -
PASSWORD = 'Im_a_lumberjack'
11 11 12 12 13 13
class DatabaseCreation(BaseDatabaseCreation):
@@ -188,7 +188,11 @@ def _create_test_user(self, cursor, parameters, verbosity, keepdb=False):
188 188
]
189 189
# Ignore "user already exists" error when keepdb is on
190 190
acceptable_ora_err = 'ORA-01920' if keepdb else None
191 -
self._execute_allow_fail_statements(cursor, statements, parameters, verbosity, acceptable_ora_err)
191 +
success = self._execute_allow_fail_statements(cursor, statements, parameters, verbosity, acceptable_ora_err)
192 +
# If the password was randomly generated, change the user accordingly.
193 +
if not success and self._test_settings_get('PASSWORD') is None:
194 +
set_password = "ALTER USER %(user)s IDENTIFIED BY %(password)s"
195 +
self._execute_statements(cursor, [set_password], parameters, verbosity)
192 196
# Most test-suites can be run without the create-view privilege. But some need it.
193 197
extra = "GRANT CREATE VIEW TO %(user)s"
194 198
success = self._execute_allow_fail_statements(cursor, [extra], parameters, verbosity, 'ORA-01031')
@@ -263,7 +267,7 @@ def _test_settings_get(self, key, default=None, prefixed=None):
263 267
"""
264 268
settings_dict = self.connection.settings_dict
265 269
val = settings_dict['TEST'].get(key, default)
266 -
if val is None:
270 +
if val is None and prefixed:
267 271
val = TEST_DATABASE_PREFIX + settings_dict[prefixed]
268 272
return val
269 273
@@ -280,7 +284,11 @@ def _test_database_user(self):
280 284
return self._test_settings_get('USER', prefixed='USER')
281 285 282 286
def _test_database_passwd(self):
283 -
return self._test_settings_get('PASSWORD', default=PASSWORD)
287 +
password = self._test_settings_get('PASSWORD')
288 +
if password is None and self._test_user_create():
289 +
# Oracle passwords are limited to 30 chars and can't contain symbols.
290 +
password = get_random_string(length=30)
291 +
return password
284 292 285 293
def _test_database_tblspace(self):
286 294
return self._test_settings_get('TBLSPACE', prefixed='USER')
@@ -773,7 +773,11 @@ Default: ``None``
773 773
This is an Oracle-specific setting.
774 774 775 775
The password to use when connecting to the Oracle database that will be used
776 -
when running tests. If not provided, Django will use a hardcoded default value.
776 +
when running tests. If not provided, Django will generate a random password.
777 + 778 +
.. versionchanged:: 1.8.16
779 + 780 +
Older versions used a hardcoded default password.
777 781 778 782
.. setting:: TEST_TBLSPACE
779 783
@@ -5,3 +5,17 @@ Django 1.8.16 release notes
5 5
*November 1, 2016*
6 6 7 7
Django 1.8.16 fixes two security issues in 1.8.15.
8 + 9 +
User with hardcoded password created when running tests on Oracle
10 +
=================================================================
11 + 12 +
When running tests with an Oracle database, Django creates a temporary database
13 +
user. In older versions, if a password isn't manually specified in the database
14 +
settings ``TEST`` dictionary, a hardcoded password is used. This could allow
15 +
an attacker with network access to the database server to connect.
16 + 17 +
This user is usually dropped after the test suite completes, but not when using
18 +
the ``manage.py test --keepdb`` option or if the user has an active session
19 +
(such as an attacker's connection).
20 + 21 +
A randomly generated password is now used for each test run.
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4