ホーム エクスプローラ ヘルプ
サインイン
CityApper
/
django
同期ミラー https://github.com/django/django
2
0
フォーク 0
ファイル 課題 0 Wiki
ツリー: 4f313e284e
ブランチ タグ
django
/
docs
/
releases
/
1.8.18.txt

1.8.18.txt 1.3 KB
履歴 Raw

123456789101112131415161718192021222324252627282930 
  1. ===========================
    2. 

  2. Django 1.8.18 release notes
    3. 

  3. ===========================
    4. 

  4. 

  5. *April 4, 2017*
    6. 

  6. 

  7. Django 1.8.18 fixes two security issues in 1.8.17.
    8. 

  8. 

  9. CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs
    10. 

  10. ============================================================================================
    11. 

  11. 

  12. Django relies on user input in some cases  (e.g.
    13. 

  13. ``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
    14. 

  14. to redirect the user to an "on success" URL. The security check for these
    15. 

  15. redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric
    16. 

  16. URLs (e.g. ``http:999999999``) "safe" when they shouldn't be.
    17. 

  17. 

  18. Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
    19. 

  19. targets and puts such a URL into a link, they could suffer from an XSS attack.
    20. 

  20. 

  21. CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
    22. 

  22. =============================================================================
    23. 

  23. 

  24. A maliciously crafted URL to a Django site using the
    25. 

  25. :func:`~django.views.static.serve` view could redirect to any other domain. The
    26. 

  26. view no longer does any redirects as they don't provide any known, useful
    27. 

  27. functionality.
    28. 

  28. 

  29. Note, however, that this view has always carried a warning that it is not
    30. 

  30. hardened for production use and should be used only as a development aid.
    31.