2013-08-13 16:16:30 +00:00
|
|
|
==========================
|
|
|
|
Django 1.4.6 release notes
|
|
|
|
==========================
|
|
|
|
|
|
|
|
*August 13, 2013*
|
|
|
|
|
|
|
|
Django 1.4.6 fixes one security issue present in previous Django releases in
|
|
|
|
the 1.4 series, as well as one other bug.
|
|
|
|
|
|
|
|
This is the sixth bugfix/security release in the Django 1.4 series.
|
|
|
|
|
|
|
|
Mitigated possible XSS attack via user-supplied redirect URLs
|
2016-01-03 10:56:22 +00:00
|
|
|
=============================================================
|
2013-08-13 16:16:30 +00:00
|
|
|
|
|
|
|
Django relies on user input in some cases (e.g.
|
2017-09-02 23:24:18 +00:00
|
|
|
``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
|
2013-08-13 16:16:30 +00:00
|
|
|
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
|
|
|
|
The security checks for these redirects (namely
|
2015-02-20 14:20:38 +00:00
|
|
|
``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
|
2013-08-13 16:16:30 +00:00
|
|
|
and as such allowed ``javascript:...`` URLs to be entered. If a developer
|
|
|
|
relied on ``is_safe_url()`` to provide safe redirect targets and put such a
|
2013-11-30 13:37:15 +00:00
|
|
|
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
|
2013-08-13 16:16:30 +00:00
|
|
|
Django currently, since we only put this URL into the ``Location`` response
|
|
|
|
header and browsers seem to ignore JavaScript there.
|
|
|
|
|
|
|
|
Bugfixes
|
|
|
|
========
|
|
|
|
|
2013-09-09 08:59:47 +00:00
|
|
|
* Fixed an obscure bug with the :func:`~django.test.override_settings`
|
2013-08-13 16:16:30 +00:00
|
|
|
decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
|
|
|
|
'_original_allowed_hosts'`` exception, it's probably fixed (#20636).
|