Почетна Преглед Помоћ
Пријавите се
CityApper
/
django
огледало од https://github.com/django/django
2
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Дрво: 04ee4059d7
Гране Ознаке
django
/
docs
/
releases
/
1.5.3.txt

1.5.3.txt 2.4 KB
Историја Датотека

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 
  1. ==========================
    2. 

  2. Django 1.5.3 release notes
    3. 

  3. ==========================
    4. 

  4. 

  5. *September 10, 2013*
    6. 

  6. 

  7. This is Django 1.5.3, the third release in the Django 1.5 series. It addresses
    8. 

  8. one security issue and also contains an opt-in feature to enhance the security
    9. 

  9. of :mod:`django.contrib.sessions`.
    10. 

  10. 

  11. Directory traversal vulnerability in ``ssi`` template tag
    12. 

  12. ---------------------------------------------------------
    13. 

  13. 

  14. In previous versions of Django it was possible to bypass the
    15. 

  15. ``ALLOWED_INCLUDE_ROOTS`` setting used for security with the ``ssi``
    16. 

  16. template tag by specifying a relative path that starts with one of the allowed
    17. 

  17. roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
    18. 

  18. would be possible:
    19. 

  19. 

  20. .. code-block:: html+django
    21. 

  21. 

  22.     {% ssi "/var/www/../../etc/passwd" %}
    23. 

  23. 

  24. In practice this is not a very common problem, as it would require the template
    25. 

  25. author to put the ``ssi`` file in a user-controlled variable, but it's possible
    26. 

  26. in principle.
    27. 

  27. 

  28. Mitigating a remote-code execution vulnerability in :mod:`django.contrib.sessions`
    29. 

  29. ----------------------------------------------------------------------------------
    30. 

  30. 

  31. :mod:`django.contrib.sessions` currently uses :mod:`pickle` to serialize
    32. 

  32. session data before storing it in the backend. If you're using the :ref:`signed
    33. 

  33. cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is
    34. 

  34. known by an attacker (there isn't an inherent vulnerability in Django that
    35. 

  35. would cause it to leak), the attacker could insert a string into his session
    36. 

  36. which, when unpickled, executes arbitrary code on the server. The technique for
    37. 

  37. doing so is simple and easily available on the internet. Although the cookie
    38. 

  38. session storage signs the cookie-stored data to prevent tampering, a
    39. 

  39. :setting:`SECRET_KEY` leak immediately escalates to a remote code execution
    40. 

  40. vulnerability.
    41. 

  41. 

  42. This attack can be mitigated by serializing session data using JSON rather
    43. 

  43. than :mod:`pickle`. To facilitate this, Django 1.5.3 introduces a new setting,
    44. 

  44. :setting:`SESSION_SERIALIZER`, to customize the session serialization format.
    45. 

  45. For backwards compatibility, this setting defaults to using :mod:`pickle`.
    46. 

  46. While JSON serialization does not support all Python objects like :mod:`pickle`
    47. 

  47. does, we highly recommend switching to JSON-serialized values. Also,
    48. 

  48. as JSON requires string keys, you will likely run into problems if you are
    49. 

  49. using non-string keys in ``request.session``. See the
    50. 

  50. :ref:`session_serialization` documentation for more details.
    51.