1. ===========================

  2. Django 1.4.13 release notes

  3. ===========================

  4. 

  5. *May 14, 2014*

  6. 

  7. Django 1.4.13 fixes two security issues in 1.4.12.

  8. 

  9. Caches may incorrectly be allowed to store and serve private data

  10. =================================================================

  11. 

  12. In certain situations, Django may allow caches to store private data

  13. related to a particular session and then serve that data to requests

  14. with a different session, or no session at all. This can lead to

  15. information disclosure and can be a vector for cache poisoning.

  16. 

  17. When using Django sessions, Django will set a ``Vary: Cookie`` header to

  18. ensure caches do not serve cached data to requests from other sessions.

  19. However, older versions of Internet Explorer (most likely only Internet

  20. Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server

  21. 2003) are unable to handle the ``Vary`` header in combination with many content

  22. types. Therefore, Django would remove the header if the request was made by

  23. Internet Explorer.

  24. 

  25. To remedy this, the special behavior for these older Internet Explorer versions

  26. has been removed, and the ``Vary`` header is no longer stripped from the response.

  27. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer

  28. requests with a ``Content-Disposition`` header have also been removed as they

  29. were found to have similar issues.

  30. 

  31. Malformed redirect URLs from user input not correctly validated

  32. ===============================================================

  33. 

  34. The validation for redirects did not correctly validate some malformed URLs,

  35. which are accepted by some browsers. This allows a user to be redirected to

  36. an unsafe URL unexpectedly.

  37. 

  38. Django relies on user input in some cases (e.g.

  39. ``django.contrib.auth.views.login()``, ``django.contrib.comments``, and

  40. :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.

  41. The security checks for these redirects (namely

  42. ``django.utils.http.is_safe_url()``) did not correctly validate some malformed

  43. URLs, such as ``http:\\\\\\djangoproject.com``, which are accepted by some

  44. browsers with more liberal URL parsing.

  45. 

  46. To remedy this, the validation in ``is_safe_url()`` has been tightened to be able

  47. to handle and correctly validate these malformed URLs.
About Sign Up Leave Feedback Contact