"Fossies" - the Fresh Open Source Software Archive
Member "Django-1.11.25/docs/releases/1.4.13.txt" (1 Oct 2019, 2274 Bytes) of package /linux/www/Django-1.11.25.tar.gz:
As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard
) with prefixed line numbers.
Alternatively you can here view
the uninterpreted source code file.
2 Django 1.4.13 release notes
5 *May 14, 2014*
7 Django 1.4.13 fixes two security issues in 1.4.12.
9 Caches may incorrectly be allowed to store and serve private data
12 In certain situations, Django may allow caches to store private data
13 related to a particular session and then serve that data to requests
14 with a different session, or no session at all. This can lead to
15 information disclosure and can be a vector for cache poisoning.
17 When using Django sessions, Django will set a ``Vary: Cookie`` header to
18 ensure caches do not serve cached data to requests from other sessions.
19 However, older versions of Internet Explorer (most likely only Internet
20 Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
21 2003) are unable to handle the ``Vary`` header in combination with many content
22 types. Therefore, Django would remove the header if the request was made by
23 Internet Explorer.
25 To remedy this, the special behavior for these older Internet Explorer versions
26 has been removed, and the ``Vary`` header is no longer stripped from the response.
27 In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
28 requests with a ``Content-Disposition`` header have also been removed as they
29 were found to have similar issues.
31 Malformed redirect URLs from user input not correctly validated
34 The validation for redirects did not correctly validate some malformed URLs,
35 which are accepted by some browsers. This allows a user to be redirected to
36 an unsafe URL unexpectedly.
38 Django relies on user input in some cases (e.g.
39 :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
40 :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
41 The security checks for these redirects (namely
42 ``django.utils.http.is_safe_url()``) did not correctly validate some malformed
43 URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
44 with more liberal URL parsing.
46 To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
47 to handle and correctly validate these malformed URLs.