2014-05-14 16:07:32 +00:00
|
|
|
==========================
|
|
|
|
Django 1.5.8 release notes
|
|
|
|
==========================
|
|
|
|
|
2014-05-15 11:11:29 +00:00
|
|
|
*May 14, 2014*
|
2014-05-14 16:07:32 +00:00
|
|
|
|
2014-05-15 11:11:29 +00:00
|
|
|
Django 1.5.8 fixes two security issues in 1.5.8.
|
2014-05-14 16:07:32 +00:00
|
|
|
|
|
|
|
Caches may incorrectly be allowed to store and serve private data
|
|
|
|
=================================================================
|
2014-05-15 11:11:29 +00:00
|
|
|
|
2014-05-14 16:07:32 +00:00
|
|
|
In certain situations, Django may allow caches to store private data
|
|
|
|
related to a particular session and then serve that data to requests
|
2014-05-15 11:11:29 +00:00
|
|
|
with a different session, or no session at all. This can lead to
|
|
|
|
information disclosure and can be a vector for cache poisoning.
|
2014-05-14 16:07:32 +00:00
|
|
|
|
|
|
|
When using Django sessions, Django will set a ``Vary: Cookie`` header to
|
|
|
|
ensure caches do not serve cached data to requests from other sessions.
|
|
|
|
However, older versions of Internet Explorer (most likely only Internet
|
|
|
|
Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
|
|
|
|
2003) are unable to handle the ``Vary`` header in combination with many content
|
|
|
|
types. Therefore, Django would remove the header if the request was made by
|
|
|
|
Internet Explorer.
|
|
|
|
|
2014-05-15 11:11:29 +00:00
|
|
|
To remedy this, the special behavior for these older Internet Explorer versions
|
2014-05-14 16:07:32 +00:00
|
|
|
has been removed, and the ``Vary`` header is no longer stripped from the response.
|
|
|
|
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
|
2014-05-15 11:11:29 +00:00
|
|
|
requests with a ``Content-Disposition`` header have also been removed as they
|
2014-05-14 16:07:32 +00:00
|
|
|
were found to have similar issues.
|
|
|
|
|
|
|
|
Malformed redirect URLs from user input not correctly validated
|
|
|
|
===============================================================
|
2014-05-15 11:11:29 +00:00
|
|
|
|
2014-05-14 16:07:32 +00:00
|
|
|
The validation for redirects did not correctly validate some malformed URLs,
|
|
|
|
which are accepted by some browsers. This allows a user to be redirected to
|
|
|
|
an unsafe URL unexpectedly.
|
|
|
|
|
|
|
|
Django relies on user input in some cases (e.g.
|
2017-09-02 23:24:18 +00:00
|
|
|
``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
|
2014-05-14 16:07:32 +00:00
|
|
|
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
|
|
|
|
The security checks for these redirects (namely
|
2015-02-20 14:20:38 +00:00
|
|
|
``django.utils.http.is_safe_url()``) did not correctly validate some malformed
|
2020-03-31 08:37:38 +00:00
|
|
|
URLs, such as ``http:\\\\\\djangoproject.com``, which are accepted by some
|
|
|
|
browsers with more liberal URL parsing.
|
2014-05-14 16:07:32 +00:00
|
|
|
|
|
|
|
To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
|
|
|
|
to handle and correctly validate these malformed URLs.
|