[rpms/python-django4.2] epel9: Backport fix for CVE-2026-35192 (low): Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Michel Lind <salimma@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/python-django4.2] epel9: Backport fix for CVE-2026-35192 (low): Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST
Date: Sat, 06 Jun 2026 17:34:38 GMT	[thread overview]
Message-ID: <178076727824.1.9273745047371242818.rpms-python-django4.2-0fb45c56eca0@fedoraproject.org> (raw)

            A new commit has been pushed.

            Repo   : rpms/python-django4.2
            Branch : epel9
            Commit : 0fb45c56eca060e84cf4b776044e7a2389246ea3
            Author : Michel Lind <salimma@fedoraproject.org>
            Date   : 2026-06-06T18:29:48+01:00
            Stats  : +96/-0 in 3 file(s)
            URL    : https://src.fedoraproject.org/rpms/python-django4.2/c/0fb45c56eca060e84cf4b776044e7a2389246ea3?branch=epel9

            Log:
            Backport fix for CVE-2026-35192 (low): Session fixation via public cached pages and SESSION_SAVE_EVERY_REQUEST

Signed-off-by: Michel Lind <salimma@fedoraproject.org>

---
diff --git a/backport-CVE-2026-35192.diff b/backport-CVE-2026-35192.diff
new file mode 100644
index 0000000..45683fa
--- /dev/null
+++ b/backport-CVE-2026-35192.diff
@@ -0,0 +1,92 @@
+From 47cf968c125e3fab317e10fe150ec479e745f995 Mon Sep 17 00:00:00 2001
+From: Jake Howard <git@theorangeone.net>
+Date: Wed, 1 Apr 2026 18:21:30 +0200
+Subject: [PATCH] [5.2.x] Fixed CVE-2026-35192 -- Ensured Vary header is sent
+ when setting session cookie with SESSION_SAVE_EVERY_REQUEST=True.
+
+Thank you Jacob Walls and Natalia Bidart for reviews.
+
+Backport of 7f6e9b55130d5158804c0acbc0b24ccb7422ed82 from main.
+---
+ django/contrib/sessions/middleware.py | 11 ++++++++---
+ docs/releases/5.2.14.txt              | 11 +++++++++++
+ tests/sessions_tests/tests.py         | 28 +++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 3 deletions(-)
+
+--- a/django/contrib/sessions/middleware.py
++++ b/django/contrib/sessions/middleware.py
+@@ -40,10 +40,11 @@ class SessionMiddleware(MiddlewareMixin)
+                 domain=settings.SESSION_COOKIE_DOMAIN,
+                 samesite=settings.SESSION_COOKIE_SAMESITE,
+             )
+-            patch_vary_headers(response, ("Cookie",))
++            need_vary_cookie = True
+         else:
+-            if accessed:
+-                patch_vary_headers(response, ("Cookie",))
++            # If the session was accessed, it must be varied on, regardless of
++            # whether it was modified or will be saved.
++            need_vary_cookie = accessed
+             if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
+                 if request.session.get_expire_at_browser_close():
+                     max_age = None
+@@ -74,4 +75,8 @@ class SessionMiddleware(MiddlewareMixin)
+                         httponly=settings.SESSION_COOKIE_HTTPONLY or None,
+                         samesite=settings.SESSION_COOKIE_SAMESITE,
+                     )
++                    # With a session cookie set, it must be varied on.
++                    need_vary_cookie = True
++        if need_vary_cookie:
++            patch_vary_headers(response, ("Cookie",))
+         return response
+--- a/tests/sessions_tests/tests.py
++++ b/tests/sessions_tests/tests.py
+@@ -676,6 +676,7 @@ class SessionMiddlewareTests(TestCase):
+         # Handle the response through the middleware
+         response = middleware(request)
+         self.assertIs(response.cookies[settings.SESSION_COOKIE_NAME]["secure"], True)
++        self.assertEqual(response.headers["Vary"], "Cookie")
+ 
+     @override_settings(SESSION_COOKIE_HTTPONLY=True)
+     def test_httponly_session_cookie(self):
+@@ -816,6 +817,7 @@ class SessionMiddlewareTests(TestCase):
+             ),
+             str(response.cookies[settings.SESSION_COOKIE_NAME]),
+         )
++        self.assertEqual(response.headers["Vary"], "Cookie")
+ 
+     def test_flush_empty_without_session_cookie_doesnt_set_cookie(self):
+         def response_ending_session(request):
+@@ -833,6 +835,32 @@ class SessionMiddlewareTests(TestCase):
+         # The session is accessed so "Vary: Cookie" should be set.
+         self.assertEqual(response.headers["Vary"], "Cookie")
+ 
++    @override_settings(SESSION_SAVE_EVERY_REQUEST=True)
++    def test_save_every_request_with_non_empty_session_renews_session_cookie(self):
++        request = self.request_factory.get("/")
++        middleware = SessionMiddleware(self.get_response_touching_session)
++
++        # Make sure the request has a session.
++        middleware(request)
++
++        # A cookie should be set.
++        self.assertIs(request.session.is_empty(), False)
++        self.assertEqual(request.session["hello"], "world")
++
++        request.COOKIES[settings.SESSION_COOKIE_NAME] = request.session.session_key
++
++        def simple_view(request):
++            return HttpResponse("Session test")
++
++        middleware = SessionMiddleware(simple_view)
++        response = middleware(request)
++
++        # A cookie should be set because SESSION_SAVE_EVERY_REQUEST=True,
++        # even though the session wasn't touched.
++        self.assertIn(settings.SESSION_COOKIE_NAME, response.cookies)
++        # There's a session, so also Vary on it.
++        self.assertEqual(response.headers["Vary"], "Cookie")
++
+     def test_empty_session_saved(self):
+         """
+         If a session is emptied of data but still has a key, it should still

diff --git a/python-django4.2.spec b/python-django4.2.spec
index e7bfad8..c15200e 100644
--- a/python-django4.2.spec
+++ b/python-django4.2.spec
@@ -35,6 +35,8 @@ Patch:          django-4.2.22-revert-pyproject-conversion.diff
 # python 3.13 - argparse change https://github.com/python/cpython/commit/c4a2e8a2c5188c3288d57b80852e92c83f46f6f3
 # backport (fuzzed patch) for https://github.com/django/django/commit/3426a5c33c36266af42128ee9eca4921e68ea876.patch
 Patch:          backport-3426a5c33c36266af42128ee9eca4921e68ea876.patch
+# backport (fuzzed patch) for CVE-2026-35192 from https://github.com/django/django/commit/47cf968c125e3fab317e10fe150ec479e745f995
+Patch:          backport-CVE-2026-35192.diff
 # skip flaky tests
 Patch:          Django-skip-flaky-tests.diff
 

diff --git a/series b/series
index 2fe34c8..903d33c 100644
--- a/series
+++ b/series
@@ -1,4 +1,6 @@
 django-4.2.22-revert-setuptools-bump.diff
 django-4.2.22-revert-pyproject-conversion.diff
 backport-3426a5c33c36266af42128ee9eca4921e68ea876.patch
+backport-CVE-2026-35192.diff
 Django-skip-flaky-unicode-tests.diff
+

                 reply	other threads:[~2026-06-06 17:34 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178076727824.1.9273745047371242818.rpms-python-django4.2-0fb45c56eca0@fedoraproject.org \
    --to=salimma@fedoraproject.org \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox