"Fossies" - the Fresh Open Source Software Archive

Member "Django-1.11.25/docs/releases/1.4.11.txt" (1 Oct 2019, 4831 Bytes) of package /linux/www/Django-1.11.25.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ===========================
    2 Django 1.4.11 release notes
    3 ===========================
    4 
    5 *April 21, 2014*
    6 
    7 Django 1.4.11 fixes three security issues in 1.4.10. Additionally,
    8 Django's vendored version of six, :mod:`django.utils.six`, has been
    9 upgraded to the latest release (1.6.1).
   10 
   11 Unexpected code execution using ``reverse()``
   12 =============================================
   13 
   14 Django's URL handling is based on a mapping of regex patterns
   15 (representing the URLs) to callable views, and Django's own processing
   16 consists of matching a requested URL against those patterns to
   17 determine the appropriate view to invoke.
   18 
   19 Django also provides a convenience function -- ``reverse()`` -- which performs
   20 this process in the opposite direction. The ``reverse()`` function takes
   21 information about a view and returns a URL which would invoke that view. Use
   22 of ``reverse()`` is encouraged for application developers, as the output of
   23 ``reverse()`` is always based on the current URL patterns, meaning developers
   24 do not need to change other code when making changes to URLs.
   25 
   26 One argument signature for ``reverse()`` is to pass a dotted Python
   27 path to the desired view. In this situation, Django will import the
   28 module indicated by that dotted path as part of generating the
   29 resulting URL. If such a module has import-time side effects, those
   30 side effects will occur.
   31 
   32 Thus it is possible for an attacker to cause unexpected code
   33 execution, given the following conditions:
   34 
   35 1. One or more views are present which construct a URL based on user
   36    input (commonly, a "next" parameter in a querystring indicating
   37    where to redirect upon successful completion of an action).
   38 
   39 2. One or more modules are known to an attacker to exist on the
   40    server's Python import path, which perform code execution with side
   41    effects on importing.
   42 
   43 To remedy this, ``reverse()`` will now only accept and import dotted
   44 paths based on the view-containing modules listed in the project's :doc:`URL
   45 pattern configuration </topics/http/urls>`, so as to ensure that only modules
   46 the developer intended to be imported in this fashion can or will be imported.
   47 
   48 Caching of anonymous pages could reveal CSRF token
   49 ==================================================
   50 
   51 Django includes both a :doc:`caching framework </topics/cache>` and a system
   52 for :doc:`preventing cross-site request forgery (CSRF) attacks
   53 </ref/csrf/>`. The CSRF-protection system is based on a random nonce
   54 sent to the client in a cookie which must be sent by the client on future
   55 requests and, in forms, a hidden value which must be submitted back with the
   56 form.
   57 
   58 The caching framework includes an option to cache responses to
   59 anonymous (i.e., unauthenticated) clients.
   60 
   61 When the first anonymous request to a given page is by a client which
   62 did not have a CSRF cookie, the cache framework will also cache the
   63 CSRF cookie and serve the same nonce to other anonymous clients who
   64 do not have a CSRF cookie. This can allow an attacker to obtain a
   65 valid CSRF cookie value and perform attacks which bypass the check for
   66 the cookie.
   67 
   68 To remedy this, the caching framework will no longer cache such
   69 responses. The heuristic for this will be:
   70 
   71 1. If the incoming request did not submit any cookies, and
   72 
   73 2. If the response did send one or more cookies, and
   74 
   75 3. If the ``Vary: Cookie`` header is set on the response, then the
   76    response will not be cached.
   77 
   78 MySQL typecasting
   79 =================
   80 
   81 The MySQL database is known to "typecast" on certain queries; for
   82 example, when querying a table which contains string values, but using
   83 a query which filters based on an integer value, MySQL will first
   84 silently coerce the strings to integers and return a result based on that.
   85 
   86 If a query is performed without first converting values to the
   87 appropriate type, this can produce unexpected results, similar to what
   88 would occur if the query itself had been manipulated.
   89 
   90 Django's model field classes are aware of their own types and most
   91 such classes perform explicit conversion of query arguments to the
   92 correct database-level type before querying. However, three model
   93 field classes did not correctly convert their arguments:
   94 
   95 * :class:`~django.db.models.FilePathField`
   96 * :class:`~django.db.models.GenericIPAddressField`
   97 * ``IPAddressField``
   98 
   99 These three fields have been updated to convert their arguments to the
  100 correct types before querying.
  101 
  102 Additionally, developers of custom model fields are now warned via
  103 documentation to ensure their custom field classes will perform
  104 appropriate type conversions, and users of the :meth:`raw()
  105 <django.db.models.query.QuerySet.raw>` and :meth:`extra()
  106 <django.db.models.query.QuerySet.extra>` query methods -- which allow the
  107 developer to supply raw SQL or SQL fragments -- will be advised to ensure they
  108 perform appropriate manual type conversions prior to executing queries.