mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Refs #17209 -- Removed login/logout and password reset/change function-based views.

Browse Source 
Per deprecation timeline.
This commit is contained in:
Tim Graham
2017-09-02 19:24:18 -04:00
parent deb592b3e3
commit 4f313e284e
30 changed files with 42 additions and 870 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/releases/1.8.10.txt
View File

@@ -10,7 +10,7 @@ CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redi
===============================================================================================================
Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security check for these
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
with basic authentication credentials "safe" when they shouldn't be.