"Fossies" - the Fresh Open Source Software Archive

Member "Django-1.11.25/docs/releases/1.5.9.txt" (1 Oct 2019, 3190 Bytes) of package /linux/www/Django-1.11.25.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ==========================
    2 Django 1.5.9 release notes
    3 ==========================
    4 
    5 *August 20, 2014*
    6 
    7 Django 1.5.9 fixes several security issues in 1.5.8.
    8 
    9 ``reverse()`` could generate URLs pointing to other hosts
   10 =========================================================
   11 
   12 In certain situations, URL reversing could generate scheme-relative URLs  (URLs
   13 starting with two slashes), which could unexpectedly redirect a user  to a
   14 different host. An attacker could exploit this, for example, by redirecting
   15 users to a phishing site designed to ask for user's passwords.
   16 
   17 To remedy this, URL reversing now ensures that no URL starts with two slashes
   18 (//), replacing the second slash with its URL encoded counterpart (%2F). This
   19 approach ensures that semantics stay the same, while making the URL relative to
   20 the domain and not to the scheme.
   21 
   22 File upload denial-of-service
   23 =============================
   24 
   25 Before this release, Django's file upload handing in its default configuration
   26 may degrade to producing a huge number of ``os.stat()`` system calls when a
   27 duplicate filename is uploaded. Since ``stat()`` may invoke IO, this may produce
   28 a huge data-dependent slowdown that slowly worsens over time. The net result is
   29 that given enough time, a user with the ability to upload files can cause poor
   30 performance in the upload handler, eventually causing it to become very slow
   31 simply by uploading 0-byte files. At this point, even a slow network connection
   32 and few HTTP requests would be all that is necessary to make a site unavailable.
   33 
   34 We've remedied the issue by changing the algorithm for generating file names
   35 if a file with the uploaded name already exists.
   36 :meth:`Storage.get_available_name()
   37 <django.core.files.storage.Storage.get_available_name>` now appends an
   38 underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
   39 rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
   40 ``"_2"``, etc.).
   41 
   42 ``RemoteUserMiddleware`` session hijacking
   43 ==========================================
   44 
   45 When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
   46 and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
   47 requests without an intervening logout could result in the prior user's session
   48 being co-opted by the subsequent user. The middleware now logs the user out on
   49 a failed login attempt.
   50 
   51 Data leakage via query string manipulation in ``contrib.admin``
   52 ===============================================================
   53 
   54 In older versions of Django it was possible to reveal any field's data by
   55 modifying the "popup" and "to_field" parameters of the query string on an admin
   56 change form page. For example, requesting a URL like
   57 ``/admin/auth/user/?pop=1&t=password`` and viewing the page's HTML allowed
   58 viewing the password hash of each user. While the admin requires users to have
   59 permissions to view the change form pages in the first place, this could leak
   60 data if you rely on users having access to view only certain fields on a model.
   61 
   62 To address the issue, an exception will now be raised if a ``to_field`` value
   63 that isn't a related field to a model that has been registered with the admin
   64 is specified.