2015-03-04 13:49:12 +01:00
|
|
|
===========================
|
|
|
|
Django 1.4.20 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*March 18, 2015*
|
|
|
|
|
|
|
|
Django 1.4.20 fixes one security issue in 1.4.19.
|
2015-03-10 01:05:13 +01:00
|
|
|
|
|
|
|
Mitigated possible XSS attack via user-supplied redirect URLs
|
|
|
|
=============================================================
|
|
|
|
|
|
|
|
Django relies on user input in some cases (e.g.
|
2017-09-03 01:24:18 +02:00
|
|
|
``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
|
2015-03-10 01:05:13 +01:00
|
|
|
to redirect the user to an "on success" URL. The security checks for these
|
|
|
|
redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with
|
|
|
|
leading control characters and so considered URLs like ``\x08javascript:...``
|
|
|
|
safe. This issue doesn't affect Django currently, since we only put this URL
|
|
|
|
into the ``Location`` response header and browsers seem to ignore JavaScript
|
|
|
|
there. Browsers we tested also treat URLs prefixed with control characters such
|
|
|
|
as ``%08//example.com`` as relative paths so redirection to an unsafe target
|
|
|
|
isn't a problem either.
|
|
|
|
|
|
|
|
However, if a developer relies on ``is_safe_url()`` to
|
|
|
|
provide safe redirect targets and puts such a URL into a link, they could
|
|
|
|
suffer from an XSS attack as some browsers such as Google Chrome ignore control
|
|
|
|
characters at the start of a URL in an anchor ``href``.
|