1. ===========================

  2. Django 1.4.11 release notes

  3. ===========================

  4. 

  5. *April 21, 2014*

  6. 

  7. Django 1.4.11 fixes three security issues in 1.4.10. Additionally,

  8. Django's vendored version of six, ``django.utils.six``, has been

  9. upgraded to the latest release (1.6.1).

  10. 

  11. Unexpected code execution using ``reverse()``

  12. =============================================

  13. 

  14. Django's URL handling is based on a mapping of regex patterns

  15. (representing the URLs) to callable views, and Django's own processing

  16. consists of matching a requested URL against those patterns to

  17. determine the appropriate view to invoke.

  18. 

  19. Django also provides a convenience function -- ``reverse()`` -- which performs

  20. this process in the opposite direction. The ``reverse()`` function takes

  21. information about a view and returns a URL which would invoke that view. Use

  22. of ``reverse()`` is encouraged for application developers, as the output of

  23. ``reverse()`` is always based on the current URL patterns, meaning developers

  24. do not need to change other code when making changes to URLs.

  25. 

  26. One argument signature for ``reverse()`` is to pass a dotted Python

  27. path to the desired view. In this situation, Django will import the

  28. module indicated by that dotted path as part of generating the

  29. resulting URL. If such a module has import-time side effects, those

  30. side effects will occur.

  31. 

  32. Thus it is possible for an attacker to cause unexpected code

  33. execution, given the following conditions:

  34. 

  35. 1. One or more views are present which construct a URL based on user

  36.    input (commonly, a "next" parameter in a querystring indicating

  37.    where to redirect upon successful completion of an action).

  38. 

  39. 2. One or more modules are known to an attacker to exist on the

  40.    server's Python import path, which perform code execution with side

  41.    effects on importing.

  42. 

  43. To remedy this, ``reverse()`` will now only accept and import dotted

  44. paths based on the view-containing modules listed in the project's :doc:`URL

  45. pattern configuration </topics/http/urls>`, so as to ensure that only modules

  46. the developer intended to be imported in this fashion can or will be imported.

  47. 

  48. Caching of anonymous pages could reveal CSRF token

  49. ==================================================

  50. 

  51. Django includes both a :doc:`caching framework </topics/cache>` and a system

  52. for :doc:`preventing cross-site request forgery (CSRF) attacks

  53. </ref/csrf/>`. The CSRF-protection system is based on a random nonce

  54. sent to the client in a cookie which must be sent by the client on future

  55. requests and, in forms, a hidden value which must be submitted back with the

  56. form.

  57. 

  58. The caching framework includes an option to cache responses to

  59. anonymous (i.e., unauthenticated) clients.

  60. 

  61. When the first anonymous request to a given page is by a client which

  62. did not have a CSRF cookie, the cache framework will also cache the

  63. CSRF cookie and serve the same nonce to other anonymous clients who

  64. do not have a CSRF cookie. This can allow an attacker to obtain a

  65. valid CSRF cookie value and perform attacks which bypass the check for

  66. the cookie.

  67. 

  68. To remedy this, the caching framework will no longer cache such

  69. responses. The heuristic for this will be:

  70. 

  71. 1. If the incoming request did not submit any cookies, and

  72. 

  73. 2. If the response did send one or more cookies, and

  74. 

  75. 3. If the ``Vary: Cookie`` header is set on the response, then the

  76.    response will not be cached.

  77. 

  78. MySQL typecasting

  79. =================

  80. 

  81. The MySQL database is known to "typecast" on certain queries; for

  82. example, when querying a table which contains string values, but using

  83. a query which filters based on an integer value, MySQL will first

  84. silently coerce the strings to integers and return a result based on that.

  85. 

  86. If a query is performed without first converting values to the

  87. appropriate type, this can produce unexpected results, similar to what

  88. would occur if the query itself had been manipulated.

  89. 

  90. Django's model field classes are aware of their own types and most

  91. such classes perform explicit conversion of query arguments to the

  92. correct database-level type before querying. However, three model

  93. field classes did not correctly convert their arguments:

  94. 

  95. * :class:`~django.db.models.FilePathField`

  96. * :class:`~django.db.models.GenericIPAddressField`

  97. * ``IPAddressField``

  98. 

  99. These three fields have been updated to convert their arguments to the

  100. correct types before querying.

  101. 

  102. Additionally, developers of custom model fields are now warned via

  103. documentation to ensure their custom field classes will perform

  104. appropriate type conversions, and users of the :meth:`raw()

  105. <django.db.models.query.QuerySet.raw>` and :meth:`extra()

  106. <django.db.models.query.QuerySet.extra>` query methods -- which allow the

  107. developer to supply raw SQL or SQL fragments -- will be advised to ensure they

  108. perform appropriate manual type conversions prior to executing queries.
About Sign Up Leave Feedback Contact