1
0
mirror of https://github.com/django/django.git synced 2024-12-25 02:26:12 +00:00
django/docs/releases/1.4.6.txt
Kevin Christopher Henry 9d700322b3 Fixed #19885 -- cleaned up the django.test namespace
* override_settings may now be imported from django.test
* removed Approximate from django.test
* updated documentation for things importable from django.test

Thanks akaariai for the suggestion.
2013-09-09 16:03:13 -04:00

32 lines
1.3 KiB
Plaintext

==========================
Django 1.4.6 release notes
==========================
*August 13, 2013*
Django 1.4.6 fixes one security issue present in previous Django releases in
the 1.4 series, as well as one other bug.
This is the sixth bugfix/security release in the Django 1.4 series.
Mitigated possible XSS attack via user-supplied redirect URLs
-------------------------------------------------------------
Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
and as such allowed ``javascript:...`` URLs to be entered. If a developer
relied on ``is_safe_url()`` to provide safe redirect targets and put such a
URL into a link, he could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the ``Location`` response
header and browsers seem to ignore JavaScript there.
Bugfixes
========
* Fixed an obscure bug with the :func:`~django.test.override_settings`
decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
'_original_allowed_hosts'`` exception, it's probably fixed (#20636).