Domů Procházet Nápověda
Přihlásit se
CityApper
/
django
zrcadlo https://github.com/django/django
2
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Strom: 4f313e284e
Větve Značky
django
/
docs
/
releases
/
1.4.20.txt

1.4.20.txt 1.2 KB
Historie Surový

1234567891011121314151617181920212223242526 
  1. ===========================
    2. 

  2. Django 1.4.20 release notes
    3. 

  3. ===========================
    4. 

  4. 

  5. *March 18, 2015*
    6. 

  6. 

  7. Django 1.4.20 fixes one security issue in 1.4.19.
    8. 

  8. 

  9. Mitigated possible XSS attack via user-supplied redirect URLs
    10. 

  10. =============================================================
    11. 

  11. 

  12. Django relies on user input in some cases (e.g.
    13. 

  13. ``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
    14. 

  14. to redirect the user to an "on success" URL. The security checks for these
    15. 

  15. redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with
    16. 

  16. leading control characters and so considered URLs like ``\x08javascript:...``
    17. 

  17. safe. This issue doesn't affect Django currently, since we only put this URL
    18. 

  18. into the ``Location`` response header and browsers seem to ignore JavaScript
    19. 

  19. there. Browsers we tested also treat URLs prefixed with control characters such
    20. 

  20. as ``%08//example.com`` as relative paths so redirection to an unsafe target
    21. 

  21. isn't a problem either.
    22. 

  22. 

  23. However, if a developer relies on ``is_safe_url()`` to
    24. 

  24. provide safe redirect targets and puts such a URL into a link, they could
    25. 

  25. suffer from an XSS attack as some browsers such as Google Chrome ignore control
    26. 

  26. characters at the start of a URL in an anchor ``href``.
    27.