Почетна Преглед Помоћ
Пријавите се
CityApper
/
django
огледало од https://github.com/django/django
2
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Дрво: b6a957f0ba
Гране Ознаке
django
/
docs
/
releases
/
1.4.2.txt

1.4.2.txt 2.5 KB
Историја Датотека

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 
  1. ==========================
    2. 

  2. Django 1.4.2 release notes
    3. 

  3. ==========================
    4. 

  4. 

  5. *October 17, 2012*
    6. 

  6. 

  7. This is the second security release in the Django 1.4 series.
    8. 

  8. 

  9. Host header poisoning
    10. 

  10. ---------------------
    11. 

  11. 

  12. Some parts of Django -- independent of end-user-written applications -- make
    13. 

  13. use of full URLs, including domain name, which are generated from the HTTP Host
    14. 

  14. header. Some attacks against this are beyond Django's ability to control, and
    15. 

  15. require the web server to be properly configured; Django's documentation has
    16. 

  16. for some time contained notes advising users on such configuration.
    17. 

  17. 

  18. Django's own built-in parsing of the Host header is, however, still vulnerable,
    19. 

  19. as was reported to us recently. The Host header parsing in Django 1.3.3 and
    20. 

  20. Django 1.4.1 -- specifically, ``django.http.HttpRequest.get_host()`` -- was
    21. 

  21. incorrectly handling username/password information in the header. Thus, for
    22. 

  22. example, the following Host header would be accepted by Django when running on
    23. 

  23. "validsite.com"::
    24. 

  24. 

  25.     Host: validsite.com:random@evilsite.com
    26. 

  26. 

  27. Using this, an attacker can cause parts of Django -- particularly the
    28. 

  28. password-reset mechanism -- to generate and display arbitrary URLs to users.
    29. 

  29. 

  30. To remedy this, the parsing in ``HttpRequest.get_host()`` is being modified;
    31. 

  31. Host headers which contain potentially dangerous content (such as
    32. 

  32. username/password pairs) now raise the exception
    33. 

  33. :exc:`django.core.exceptions.SuspiciousOperation`.
    34. 

  34. 

  35. Details of this issue were initially posted online as a `security advisory`_.
    36. 

  36. 

  37. .. _security advisory: https://www.djangoproject.com/weblog/2012/oct/17/security/
    38. 

  38. 

  39. Backwards incompatible changes
    40. 

  40. ==============================
    41. 

  41. 

  42. * The newly introduced :class:`~django.db.models.GenericIPAddressField`
    43. 

  43.   constructor arguments have been adapted to match those of all other model
    44. 

  44.   fields. The first two keyword arguments are now verbose_name and name.
    45. 

  45. 

  46. Other bugfixes and changes
    47. 

  47. ==========================
    48. 

  48. 

  49. * Subclass HTMLParser only for appropriate Python versions (#18239).
    50. 

  50. * Added batch_size argument to qs.bulk_create() (#17788).
    51. 

  51. * Fixed a small regression in the admin filters where wrongly formatted dates passed as url parameters caused an unhandled ValidationError (#18530).
    52. 

  52. * Fixed an endless loop bug when accessing permissions in templates (#18979)
    53. 

  53. * Fixed some Python 2.5 compatibility issues
    54. 

  54. * Fixed an issue with quoted filenames in Content-Disposition header (#19006)
    55. 

  55. * Made the context option in ``trans`` and ``blocktrans`` tags accept literals wrapped in single quotes (#18881).
    56. 

  56. * Numerous documentation improvements and fixes.
    57.