django/docs/releases/1.9.13.txt

===========================
Django 1.9.13 release notes
===========================

*April 4, 2017*

Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final
release of the 1.9.x series.

CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
============================================================================================

Django relies on user input in some cases  (e.g.
``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security check for these
redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.

Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
=============================================================================

A maliciously crafted URL to a Django site using the
:func:`~django.views.static.serve` view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.

Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.

Bugfixes
========

* Fixed a regression in the ``timesince`` and ``timeuntil`` filters that caused
  incorrect results for dates in a leap year (:ticket:`27637`).
Fixed #27637 -- Fixed timesince, timeuntil in leap year edge case. 2016-12-27 14:29:11 +00:00			`===========================`
			`Django 1.9.13 release notes`
			`===========================`

Added stub release notes for security releases. 2017-03-22 15:47:45 +00:00			`April 4, 2017`
Fixed #27637 -- Fixed timesince, timeuntil in leap year edge case. 2016-12-27 14:29:11 +00:00
Added stub release notes for security releases. 2017-03-22 15:47:45 +00:00			`Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final`
			`release of the 1.9.x series.`
Fixed #27637 -- Fixed timesince, timeuntil in leap year edge case. 2016-12-27 14:29:11 +00:00
Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs. This is a security fix. 2017-03-14 14:46:53 +00:00			`CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs`
			`============================================================================================`

			`Django relies on user input in some cases (e.g.`
Refs #17209 -- Removed login/logout and password reset/change function-based views. Per deprecation timeline. 2017-09-02 23:24:18 +00:00			``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs. This is a security fix. 2017-03-14 14:46:53 +00:00			`to redirect the user to an "on success" URL. The security check for these`
			redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
			URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.

			Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
			`targets and puts such a URL into a link, they could suffer from an XSS attack.`

Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve(). This is a security fix. 2017-03-14 16:33:15 +00:00			CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
			`=============================================================================`

			`A maliciously crafted URL to a Django site using the`
			:func:`~django.views.static.serve` view could redirect to any other domain. The
			`view no longer does any redirects as they don't provide any known, useful`
			`functionality.`

			`Note, however, that this view has always carried a warning that it is not`
			`hardened for production use and should be used only as a development aid.`

Fixed #27637 -- Fixed timesince, timeuntil in leap year edge case. 2016-12-27 14:29:11 +00:00			`Bugfixes`
			`========`

			* Fixed a regression in the ``timesince`` and ``timeuntil`` filters that caused
Refs #27637 -- Fixed timesince, timeuntil on New Year's Eve in a leap year. 2017-01-02 13:40:44 +00:00			incorrect results for dates in a leap year (:ticket:`27637`).