|
| 1 | +========================== |
| 2 | +Django 1.4.13 release notes |
| 3 | +========================== |
| 4 | + |
| 5 | +*May 13, 2014* |
| 6 | + |
| 7 | +Django 1.4.13 fixes two security issues in 1.4.12. |
| 8 | + |
| 9 | + |
| 10 | +Caches may incorrectly be allowed to store and serve private data |
| 11 | +================================================================= |
| 12 | +In certain situations, Django may allow caches to store private data |
| 13 | +related to a particular session and then serve that data to requests |
| 14 | +with a different session, or no session at all. This can both lead to |
| 15 | +information disclosure, and can be a vector for cache poisoning. |
| 16 | + |
| 17 | +When using Django sessions, Django will set a ``Vary: Cookie`` header to |
| 18 | +ensure caches do not serve cached data to requests from other sessions. |
| 19 | +However, older versions of Internet Explorer (most likely only Internet |
| 20 | +Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server |
| 21 | +2003) are unable to handle the ``Vary`` header in combination with many content |
| 22 | +types. Therefore, Django would remove the header if the request was made by |
| 23 | +Internet Explorer. |
| 24 | + |
| 25 | +To remedy this, the special behaviour for these older Internet Explorer versions |
| 26 | +has been removed, and the ``Vary`` header is no longer stripped from the response. |
| 27 | +In addition, modifications to the ``Cache-Control`` header for all Internet Explorer |
| 28 | +requests with a ``Content-Disposition`` header, have also been removed as they |
| 29 | +were found to have similar issues. |
| 30 | + |
| 31 | + |
| 32 | +Malformed redirect URLs from user input not correctly validated |
| 33 | +=============================================================== |
| 34 | +The validation for redirects did not correctly validate some malformed URLs, |
| 35 | +which are accepted by some browsers. This allows a user to be redirected to |
| 36 | +an unsafe URL unexpectedly. |
| 37 | + |
| 38 | +Django relies on user input in some cases (e.g. |
| 39 | +:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and |
| 40 | +:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. |
| 41 | +The security checks for these redirects (namely |
| 42 | +``django.util.http.is_safe_url()``) did not correctly validate some malformed |
| 43 | +URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers |
| 44 | +with more liberal URL parsing. |
| 45 | + |
| 46 | +To remedy this, the validation in ``is_safe_url()`` has been tightened to be able |
| 47 | +to handle and correctly validate these malformed URLs. |
0 commit comments