首页 发现 帮助
登录
CityApper
/
django
镜像自地址 https://github.com/django/django
2
0
派生 0
文件 工单管理 0 Wiki
目录树: 7aabd62380
分支列表 标签列表
django
/
docs
/
releases
/
1.6.11.txt

1.6.11.txt 2.2 KB
文件历史 原始文件

12345678910111213141516171819202122232425262728293031323334353637383940414243 
  1. ===========================
    2. 

  2. Django 1.6.11 release notes
    3. 

  3. ===========================
    4. 

  4. 

  5. *March 18, 2015*
    6. 

  6. 

  7. Django 1.6.11 fixes two security issues in 1.6.10.
    8. 

  8. 

  9. Denial-of-service possibility with ``strip_tags()``
    10. 

  10. ===================================================
    11. 

  11. 

  12. Last year :func:`~django.utils.html.strip_tags`  was changed to work
    13. 

  13. iteratively. The problem is that the size of the input it's processing can
    14. 

  14. increase on each iteration which results in an infinite loop in
    15. 

  15. ``strip_tags()``. This issue only affects versions of Python that haven't
    16. 

  16. received  `a bugfix in HTMLParser <https://bugs.python.org/issue20288>`_; namely
    17. 

  17. Python < 2.7.7 and 3.3.5. Some operating system vendors have also backported
    18. 

  18. the fix for the Python bug into their packages of earlier versions.
    19. 

  19. 

  20. To remedy this issue, ``strip_tags()`` will now return the original input if
    21. 

  21. it detects the length of the string it's processing increases. Remember that
    22. 

  22. absolutely NO guarantee is provided about the results of ``strip_tags()`` being
    23. 

  23. HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without
    24. 

  24. escaping it first, for example with :func:`~django.utils.html.escape`.
    25. 

  25. 

  26. Mitigated possible XSS attack via user-supplied redirect URLs
    27. 

  27. =============================================================
    28. 

  28. 

  29. Django relies on user input in some cases (e.g.
    30. 

  30. :func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
    31. 

  31. to redirect the user to an "on success" URL. The security checks for these
    32. 

  32. redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with
    33. 

  33. leading control characters and so considered URLs like ``\x08javascript:...``
    34. 

  34. safe. This issue doesn't affect Django currently, since we only put this URL
    35. 

  35. into the ``Location`` response header and browsers seem to ignore JavaScript
    36. 

  36. there. Browsers we tested also treat URLs prefixed with control characters such
    37. 

  37. as ``%08//example.com`` as relative paths so redirection to an unsafe target
    38. 

  38. isn't a problem either.
    39. 

  39. 

  40. However, if a developer relies on ``is_safe_url()`` to
    41. 

  41. provide safe redirect targets and puts such a URL into a link, they could
    42. 

  42. suffer from an XSS attack as some browsers such as Google Chrome ignore control
    43. 

  43. characters at the start of a URL in an anchor ``href``.
    44.