1. ==========================

  2. Django 1.3.6 release notes

  3. ==========================

  4. 

  5. *February 19, 2013*

  6. 

  7. Django 1.3.6 fixes four security issues present in previous Django releases in

  8. the 1.3 series.

  9. 

  10. This is the sixth bugfix/security release in the Django 1.3 series.

  11. 

  12. 

  13. Host header poisoning

  14. =====================

  15. 

  16. Some parts of Django -- independent of end-user-written applications -- make

  17. use of full URLs, including domain name, which are generated from the HTTP Host

  18. header. Django's documentation has for some time contained notes advising users

  19. on how to configure web servers to ensure that only valid Host headers can reach

  20. the Django application. However, it has been reported to us that even with the

  21. recommended web server configurations there are still techniques available for

  22. tricking many common web servers into supplying the application with an

  23. incorrect and possibly malicious Host header.

  24. 

  25. For this reason, Django 1.3.6 adds a new setting, ``ALLOWED_HOSTS``, which

  26. should contain an explicit list of valid host/domain names for this site. A

  27. request with a Host header not matching an entry in this list will raise

  28. ``SuspiciousOperation`` if ``request.get_host()`` is called. For full details

  29. see the documentation for the :setting:`ALLOWED_HOSTS` setting.

  30. 

  31. The default value for this setting in Django 1.3.6 is ``['*']`` (matching any

  32. host), for backwards-compatibility, but we strongly encourage all sites to set

  33. a more restrictive value.

  34. 

  35. This host validation is disabled when ``DEBUG`` is ``True`` or when running tests.

  36. 

  37. 

  38. XML deserialization

  39. ===================

  40. 

  41. The XML parser in the Python standard library is vulnerable to a number of

  42. attacks via external entities and entity expansion. Django uses this parser for

  43. deserializing XML-formatted database fixtures. The fixture deserializer is not

  44. intended for use with untrusted data, but in order to err on the side of safety

  45. in Django 1.3.6 the XML deserializer refuses to parse an XML document with a

  46. DTD (DOCTYPE definition), which closes off these attack avenues.

  47. 

  48. These issues in the Python standard library are CVE-2013-1664 and

  49. CVE-2013-1665. More information available `from the Python security team`_.

  50. 

  51. Django's XML serializer does not create documents with a DTD, so this should

  52. not cause any issues with the typical round-trip from ``dumpdata`` to

  53. ``loaddata``, but if you feed your own XML documents to the ``loaddata``

  54. management command, you will need to ensure they do not contain a DTD.

  55. 

  56. .. _from the Python security team: https://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html

  57. 

  58. 

  59. Formset memory exhaustion

  60. =========================

  61. 

  62. Previous versions of Django did not validate or limit the form-count data

  63. provided by the client in a formset's management form, making it possible to

  64. exhaust a server's available memory by forcing it to create very large numbers

  65. of forms.

  66. 

  67. In Django 1.3.6, all formsets have a strictly-enforced maximum number of forms

  68. (1000 by default, though it can be set higher via the ``max_num`` formset

  69. factory argument).

  70. 

  71. 

  72. Admin history view information leakage

  73. ======================================

  74. 

  75. In previous versions of Django, an admin user without change permission on a

  76. model could still view the Unicode representation of instances via their admin

  77. history log. Django 1.3.6 now limits the admin history log view for an object

  78. to users with change permission for that model.
About Sign Up Leave Feedback Contact