"Fossies" - the Fresh Open Source Software Archive

Member "Django-1.11.25/docs/releases/1.4.13.txt" (1 Oct 2019, 2274 Bytes) of package /linux/www/Django-1.11.25.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ===========================
    2 Django 1.4.13 release notes
    3 ===========================
    4 
    5 *May 14, 2014*
    6 
    7 Django 1.4.13 fixes two security issues in 1.4.12.
    8 
    9 Caches may incorrectly be allowed to store and serve private data
   10 =================================================================
   11 
   12 In certain situations, Django may allow caches to store private data
   13 related to a particular session and then serve that data to requests
   14 with a different session, or no session at all. This can lead to
   15 information disclosure and can be a vector for cache poisoning.
   16 
   17 When using Django sessions, Django will set a ``Vary: Cookie`` header to
   18 ensure caches do not serve cached data to requests from other sessions.
   19 However, older versions of Internet Explorer (most likely only Internet
   20 Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
   21 2003) are unable to handle the ``Vary`` header in combination with many content
   22 types. Therefore, Django would remove the header if the request was made by
   23 Internet Explorer.
   24 
   25 To remedy this, the special behavior for these older Internet Explorer versions
   26 has been removed, and the ``Vary`` header is no longer stripped from the response.
   27 In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
   28 requests with a ``Content-Disposition`` header have also been removed as they
   29 were found to have similar issues.
   30 
   31 Malformed redirect URLs from user input not correctly validated
   32 ===============================================================
   33 
   34 The validation for redirects did not correctly validate some malformed URLs,
   35 which are accepted by some browsers. This allows a user to be redirected to
   36 an unsafe URL unexpectedly.
   37 
   38 Django relies on user input in some cases (e.g.
   39 :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
   40 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
   41 The security checks for these redirects (namely
   42 ``django.utils.http.is_safe_url()``) did not correctly validate some malformed
   43 URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
   44 with more liberal URL parsing.
   45 
   46 To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
   47 to handle and correctly validate these malformed URLs.