mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Minor edits to latest release notes.
This commit is contained in:
		| @@ -1,18 +1,18 @@ | |||||||
| ========================== | =========================== | ||||||
| Django 1.4.13 release notes | Django 1.4.13 release notes | ||||||
| ========================== | =========================== | ||||||
|  |  | ||||||
| *May 13, 2014* | *May 14, 2014* | ||||||
|  |  | ||||||
| Django 1.4.13 fixes two security issues in 1.4.12. | Django 1.4.13 fixes two security issues in 1.4.12. | ||||||
|  |  | ||||||
|  |  | ||||||
| Caches may incorrectly be allowed to store and serve private data | Caches may incorrectly be allowed to store and serve private data | ||||||
| ================================================================= | ================================================================= | ||||||
|  |  | ||||||
| In certain situations, Django may allow caches to store private data | In certain situations, Django may allow caches to store private data | ||||||
| related to a particular session and then serve that data to requests | related to a particular session and then serve that data to requests | ||||||
| with a different session, or no session at all. This can both lead to | with a different session, or no session at all. This can lead to | ||||||
| information disclosure, and can be a vector for cache poisoning. | information disclosure and can be a vector for cache poisoning. | ||||||
|  |  | ||||||
| When using Django sessions, Django will set a ``Vary: Cookie`` header to | When using Django sessions, Django will set a ``Vary: Cookie`` header to | ||||||
| ensure caches do not serve cached data to requests from other sessions. | ensure caches do not serve cached data to requests from other sessions. | ||||||
| @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server | |||||||
| types. Therefore, Django would remove the header if the request was made by | types. Therefore, Django would remove the header if the request was made by | ||||||
| Internet Explorer. | Internet Explorer. | ||||||
|  |  | ||||||
| To remedy this, the special behaviour for these older Internet Explorer versions | To remedy this, the special behavior for these older Internet Explorer versions | ||||||
| has been removed, and the ``Vary`` header is no longer stripped from the response. | has been removed, and the ``Vary`` header is no longer stripped from the response. | ||||||
| In addition, modifications to the ``Cache-Control`` header for all Internet Explorer | In addition, modifications to the ``Cache-Control`` header for all Internet Explorer | ||||||
| requests with a ``Content-Disposition`` header, have also been removed as they | requests with a ``Content-Disposition`` header have also been removed as they | ||||||
| were found to have similar issues. | were found to have similar issues. | ||||||
|  |  | ||||||
|  |  | ||||||
| Malformed redirect URLs from user input not correctly validated | Malformed redirect URLs from user input not correctly validated | ||||||
| =============================================================== | =============================================================== | ||||||
|  |  | ||||||
| The validation for redirects did not correctly validate some malformed URLs, | The validation for redirects did not correctly validate some malformed URLs, | ||||||
| which are accepted by some browsers. This allows a user to be redirected to | which are accepted by some browsers. This allows a user to be redirected to | ||||||
| an unsafe URL unexpectedly. | an unsafe URL unexpectedly. | ||||||
|   | |||||||
| @@ -2,17 +2,17 @@ | |||||||
| Django 1.5.8 release notes | Django 1.5.8 release notes | ||||||
| ========================== | ========================== | ||||||
|  |  | ||||||
| *May 13, 2014* | *May 14, 2014* | ||||||
|  |  | ||||||
| Django 1.5.8 fixes two security issues in 1.5.8. | Django 1.5.8 fixes two security issues in 1.5.8. | ||||||
|  |  | ||||||
|  |  | ||||||
| Caches may incorrectly be allowed to store and serve private data | Caches may incorrectly be allowed to store and serve private data | ||||||
| ================================================================= | ================================================================= | ||||||
|  |  | ||||||
| In certain situations, Django may allow caches to store private data | In certain situations, Django may allow caches to store private data | ||||||
| related to a particular session and then serve that data to requests | related to a particular session and then serve that data to requests | ||||||
| with a different session, or no session at all. This can both lead to | with a different session, or no session at all. This can lead to | ||||||
| information disclosure, and can be a vector for cache poisoning. | information disclosure and can be a vector for cache poisoning. | ||||||
|  |  | ||||||
| When using Django sessions, Django will set a ``Vary: Cookie`` header to | When using Django sessions, Django will set a ``Vary: Cookie`` header to | ||||||
| ensure caches do not serve cached data to requests from other sessions. | ensure caches do not serve cached data to requests from other sessions. | ||||||
| @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server | |||||||
| types. Therefore, Django would remove the header if the request was made by | types. Therefore, Django would remove the header if the request was made by | ||||||
| Internet Explorer. | Internet Explorer. | ||||||
|  |  | ||||||
| To remedy this, the special behaviour for these older Internet Explorer versions | To remedy this, the special behavior for these older Internet Explorer versions | ||||||
| has been removed, and the ``Vary`` header is no longer stripped from the response. | has been removed, and the ``Vary`` header is no longer stripped from the response. | ||||||
| In addition, modifications to the ``Cache-Control`` header for all Internet Explorer | In addition, modifications to the ``Cache-Control`` header for all Internet Explorer | ||||||
| requests with a ``Content-Disposition`` header, have also been removed as they | requests with a ``Content-Disposition`` header have also been removed as they | ||||||
| were found to have similar issues. | were found to have similar issues. | ||||||
|  |  | ||||||
|  |  | ||||||
| Malformed redirect URLs from user input not correctly validated | Malformed redirect URLs from user input not correctly validated | ||||||
| =============================================================== | =============================================================== | ||||||
|  |  | ||||||
| The validation for redirects did not correctly validate some malformed URLs, | The validation for redirects did not correctly validate some malformed URLs, | ||||||
| which are accepted by some browsers. This allows a user to be redirected to | which are accepted by some browsers. This allows a user to be redirected to | ||||||
| an unsafe URL unexpectedly. | an unsafe URL unexpectedly. | ||||||
|   | |||||||
| @@ -4,14 +4,15 @@ Django 1.6.5 release notes | |||||||
|  |  | ||||||
| *May 14, 2014* | *May 14, 2014* | ||||||
|  |  | ||||||
| Django 1.6.5 fixes two security issues and several several bugs in 1.6.4. | Django 1.6.5 fixes two security issues and several bugs in 1.6.4. | ||||||
|  |  | ||||||
| Issue: Caches may incorrectly be allowed to store and serve private data | Issue: Caches may incorrectly be allowed to store and serve private data | ||||||
| ======================================================================== | ======================================================================== | ||||||
|  |  | ||||||
| In certain situations, Django may allow caches to store private data | In certain situations, Django may allow caches to store private data | ||||||
| related to a particular session and then serve that data to requests | related to a particular session and then serve that data to requests | ||||||
| with a different session, or no session at all. This can both lead to | with a different session, or no session at all. This can lead to | ||||||
| information disclosure, and can be a vector for cache poisoning. | information disclosure and can be a vector for cache poisoning. | ||||||
|  |  | ||||||
| When using Django sessions, Django will set a ``Vary: Cookie`` header to | When using Django sessions, Django will set a ``Vary: Cookie`` header to | ||||||
| ensure caches do not serve cached data to requests from other sessions. | ensure caches do not serve cached data to requests from other sessions. | ||||||
| @@ -21,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server | |||||||
| types. Therefore, Django would remove the header if the request was made by | types. Therefore, Django would remove the header if the request was made by | ||||||
| Internet Explorer. | Internet Explorer. | ||||||
|  |  | ||||||
| To remedy this, the special behaviour for these older Internet Explorer versions | To remedy this, the special behavior for these older Internet Explorer versions | ||||||
| has been removed, and the ``Vary`` header is no longer stripped from the response. | has been removed, and the ``Vary`` header is no longer stripped from the response. | ||||||
| In addition, modifications to the ``Cache-Control`` header for all Internet Explorer | In addition, modifications to the ``Cache-Control`` header for all Internet Explorer | ||||||
| requests with a ``Content-Disposition`` header, have also been removed as they | requests with a ``Content-Disposition`` header have also been removed as they | ||||||
| were found to have similar issues. | were found to have similar issues. | ||||||
|  |  | ||||||
|  |  | ||||||
| Issue: Malformed redirect URLs from user input not correctly validated | Issue: Malformed redirect URLs from user input not correctly validated | ||||||
| ====================================================================== | ====================================================================== | ||||||
|  |  | ||||||
| The validation for redirects did not correctly validate some malformed URLs, | The validation for redirects did not correctly validate some malformed URLs, | ||||||
| which are accepted by some browsers. This allows a user to be redirected to | which are accepted by some browsers. This allows a user to be redirected to | ||||||
| an unsafe URL unexpectedly. | an unsafe URL unexpectedly. | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user