Página Principal Explorar Ajuda
Iniciar Sessão
CityApper
/
django
mirror de https://github.com/django/django
2
0
Fork 0
Ficheiros Problemas 0 Wiki
Árvore: d3db878e4b
Ramos Etiquetas
django
/
docs
/
releases
/
1.5.6.txt

1.5.6.txt 5.0 KB
Histórico Em bruto

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 
  1. ==========================
    2. 

  2. Django 1.5.6 release notes
    3. 

  3. ==========================
    4. 

  4. 

  5. *April 21, 2014*
    6. 

  6. 

  7. Django 1.5.6 fixes several bugs in 1.5.5, including three security
    8. 

  8. issues.
    9. 

  9. 

  10. Unexpected code execution using ``reverse()``
    11. 

  11. =============================================
    12. 

  12. 

  13. Django's URL handling is based on a mapping of regex patterns
    14. 

  14. (representing the URLs) to callable views, and Django's own processing
    15. 

  15. consists of matching a requested URL against those patterns to
    16. 

  16. determine the appropriate view to invoke.
    17. 

  17. 

  18. Django also provides a convenience function --
    19. 

  19. :func:`~django.core.urlresolvers.reverse` -- which performs this process
    20. 

  20. in the opposite direction. The ``reverse()`` function takes
    21. 

  21. information about a view and returns a URL which would invoke that
    22. 

  22. view. Use of ``reverse()`` is encouraged for application developers,
    23. 

  23. as the output of ``reverse()`` is always based on the current URL
    24. 

  24. patterns, meaning developers do not need to change other code when
    25. 

  25. making changes to URLs.
    26. 

  26. 

  27. One argument signature for ``reverse()`` is to pass a dotted Python
    28. 

  28. path to the desired view. In this situation, Django will import the
    29. 

  29. module indicated by that dotted path as part of generating the
    30. 

  30. resulting URL. If such a module has import-time side effects, those
    31. 

  31. side effects will occur.
    32. 

  32. 

  33. Thus it is possible for an attacker to cause unexpected code
    34. 

  34. execution, given the following conditions:
    35. 

  35. 

  36. 1. One or more views are present which construct a URL based on user
    37. 

  37.    input (commonly, a "next" parameter in a querystring indicating
    38. 

  38.    where to redirect upon successful completion of an action).
    39. 

  39. 

  40. 2. One or more modules are known to an attacker to exist on the
    41. 

  41.    server's Python import path, which perform code execution with side
    42. 

  42.    effects on importing.
    43. 

  43. 

  44. To remedy this, ``reverse()`` will now only accept and import dotted
    45. 

  45. paths based on the view-containing modules listed in the project's :doc:`URL
    46. 

  46. pattern configuration </topics/http/urls>`, so as to ensure that only modules
    47. 

  47. the developer intended to be imported in this fashion can or will be imported.
    48. 

  48. 

  49. Caching of anonymous pages could reveal CSRF token
    50. 

  50. ==================================================
    51. 

  51. 

  52. Django includes both a :doc:`caching framework </topics/cache>` and a system
    53. 

  53. for :doc:`preventing cross-site request forgery (CSRF) attacks
    54. 

  54. </ref/csrf/>`. The CSRF-protection system is based on a random nonce
    55. 

  55. sent to the client in a cookie which must be sent by the client on future
    56. 

  56. requests and, in forms, a hidden value which must be submitted back with the
    57. 

  57. form.
    58. 

  58. 

  59. The caching framework includes an option to cache responses to
    60. 

  60. anonymous (i.e., unauthenticated) clients.
    61. 

  61. 

  62. When the first anonymous request to a given page is by a client which
    63. 

  63. did not have a CSRF cookie, the cache framework will also cache the
    64. 

  64. CSRF cookie and serve the same nonce to other anonymous clients who
    65. 

  65. do not have a CSRF cookie. This can allow an attacker to obtain a
    66. 

  66. valid CSRF cookie value and perform attacks which bypass the check for
    67. 

  67. the cookie.
    68. 

  68. 

  69. To remedy this, the caching framework will no longer cache such
    70. 

  70. responses. The heuristic for this will be:
    71. 

  71. 

  72. 1. If the incoming request did not submit any cookies, and
    73. 

  73. 

  74. 2. If the response did send one or more cookies, and
    75. 

  75. 

  76. 3. If the ``Vary: Cookie`` header is set on the response, then the
    77. 

  77.    response will not be cached.
    78. 

  78. 

  79. MySQL typecasting
    80. 

  80. =================
    81. 

  81. 

  82. The MySQL database is known to "typecast" on certain queries; for
    83. 

  83. example, when querying a table which contains string values, but using
    84. 

  84. a query which filters based on an integer value, MySQL will first
    85. 

  85. silently coerce the strings to integers and return a result based on that.
    86. 

  86. 

  87. If a query is performed without first converting values to the
    88. 

  88. appropriate type, this can produce unexpected results, similar to what
    89. 

  89. would occur if the query itself had been manipulated.
    90. 

  90. 

  91. Django's model field classes are aware of their own types and most
    92. 

  92. such classes perform explicit conversion of query arguments to the
    93. 

  93. correct database-level type before querying. However, three model
    94. 

  94. field classes did not correctly convert their arguments:
    95. 

  95. 

  96. * :class:`~django.db.models.FilePathField`
    97. 

  97. * :class:`~django.db.models.GenericIPAddressField`
    98. 

  98. * :class:`~django.db.models.IPAddressField`
    99. 

  99. 

  100. These three fields have been updated to convert their arguments to the
    101. 

  101. correct types before querying.
    102. 

  102. 

  103. Additionally, developers of custom model fields are now warned via
    104. 

  104. documentation to ensure their custom field classes will perform
    105. 

  105. appropriate type conversions, and users of the :meth:`raw()
    106. 

  106. <django.db.models.query.QuerySet.raw>` and :meth:`extra()
    107. 

  107. <django.db.models.query.QuerySet.extra>` query methods -- which allow the
    108. 

  108. developer to supply raw SQL or SQL fragments -- will be advised to ensure they
    109. 

  109. perform appropriate manual type conversions prior to executing queries.
    110. 

  110. 

  111. Bugfixes
    112. 

  112. ========
    113. 

  113. 

  114. * Fixed :class:`~django.contrib.auth.backends.ModelBackend` raising
    115. 

  115.   ``UnboundLocalError`` if :func:`~django.contrib.auth.get_user_model`
    116. 

  116.   raised an error (#21439).
    117. 

  117. 

  118. Additionally, Django's vendored version of six, :mod:`django.utils.six`,
    119. 

  119. has been upgraded to the latest release (1.6.1).
    120.