1. ============================

  2. Django 1.11.15 release notes

  3. ============================

  4. 

  5. *August 1, 2018*

  6. 

  7. Django 1.11.15 fixes a security issue in 1.11.14.

  8. 

  9. CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``

  10. =================================================================

  11. 

  12. If the :class:`~django.middleware.common.CommonMiddleware` and the

  13. :setting:`APPEND_SLASH` setting are both enabled, and if the project has a

  14. URL pattern that accepts any path ending in a slash (many content management

  15. systems have such a pattern), then a request to a maliciously crafted URL of

  16. that site could lead to a redirect to another site, enabling phishing and other

  17. attacks.

  18. 

  19. ``CommonMiddleware`` now escapes leading slashes to prevent redirects to other

  20. domains.
About Sign Up Leave Feedback Contact