2017-03-22 15:47:45 +00:00
|
|
|
===========================
|
|
|
|
Django 1.8.18 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*April 4, 2017*
|
|
|
|
|
|
|
|
Django 1.8.18 fixes two security issues in 1.8.17.
|
2017-03-14 16:33:15 +00:00
|
|
|
|
2017-03-14 14:46:53 +00:00
|
|
|
CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
|
|
|
|
============================================================================================
|
|
|
|
|
|
|
|
Django relies on user input in some cases (e.g.
|
2017-09-02 23:24:18 +00:00
|
|
|
``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
|
2017-03-14 14:46:53 +00:00
|
|
|
to redirect the user to an "on success" URL. The security check for these
|
|
|
|
redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
|
|
|
|
URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
|
|
|
|
|
|
|
|
Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
|
|
|
|
targets and puts such a URL into a link, they could suffer from an XSS attack.
|
|
|
|
|
2017-03-14 16:33:15 +00:00
|
|
|
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
|
|
|
|
=============================================================================
|
|
|
|
|
|
|
|
A maliciously crafted URL to a Django site using the
|
|
|
|
:func:`~django.views.static.serve` view could redirect to any other domain. The
|
|
|
|
view no longer does any redirects as they don't provide any known, useful
|
|
|
|
functionality.
|
|
|
|
|
|
|
|
Note, however, that this view has always carried a warning that it is not
|
|
|
|
hardened for production use and should be used only as a development aid.
|