1. ==========================

  2. Django 1.3.4 release notes

  3. ==========================

  4. 

  5. *October 17, 2012*

  6. 

  7. This is the fourth release in the Django 1.3 series.

  8. 

  9. Host header poisoning

  10. =====================

  11. 

  12. Some parts of Django -- independent of end-user-written applications -- make

  13. use of full URLs, including domain name, which are generated from the HTTP Host

  14. header. Some attacks against this are beyond Django's ability to control, and

  15. require the web server to be properly configured; Django's documentation has

  16. for some time contained notes advising users on such configuration.

  17. 

  18. Django's own built-in parsing of the Host header is, however, still vulnerable,

  19. as was reported to us recently. The Host header parsing in Django 1.3.3 and

  20. Django 1.4.1 -- specifically, ``django.http.HttpRequest.get_host()`` -- was

  21. incorrectly handling username/password information in the header. Thus, for

  22. example, the following Host header would be accepted by Django when running on

  23. ``validsite.com``::

  24. 

  25.     Host: validsite.com:[email protected]

  26. 

  27. Using this, an attacker can cause parts of Django -- particularly the

  28. password-reset mechanism -- to generate and display arbitrary URLs to users.

  29. 

  30. To remedy this, the parsing in ``HttpRequest.get_host()`` is being modified;

  31. Host headers which contain potentially dangerous content (such as

  32. username/password pairs) now raise the exception

  33. :exc:`django.core.exceptions.SuspiciousOperation`.

  34. 

  35. Details of this issue were initially posted online as a `security advisory`_.

  36. 

  37. .. _security advisory: https://www.djangoproject.com/weblog/2012/oct/17/security/
About Sign Up Leave Feedback Contact