1. ===========================

  2. Django 1.4.21 release notes

  3. ===========================

  4. 

  5. *July 8, 2015*

  6. 

  7. Django 1.4.21 fixes several security issues in 1.4.20.

  8. 

  9. Denial-of-service possibility by filling session store

  10. ======================================================

  11. 

  12. In previous versions of Django, the session backends created a new empty record

  13. in the session storage anytime ``request.session`` was accessed and there was a

  14. session key provided in the request cookies that didn't already have a session

  15. record. This could allow an attacker to easily create many new session records

  16. simply by sending repeated requests with unknown session keys, potentially

  17. filling up the session store or causing other users' session records to be

  18. evicted.

  19. 

  20. The built-in session backends now create a session record only if the session

  21. is actually modified; empty session records are not created. Thus this

  22. potential DoS is now only possible if the site chooses to expose a

  23. session-modifying view to anonymous users.

  24. 

  25. As each built-in session backend was fixed separately (rather than a fix in the

  26. core sessions framework), maintainers of third-party session backends should

  27. check whether the same vulnerability is present in their backend and correct

  28. it if so.

  29. 

  30. Header injection possibility since validators accept newlines in input

  31. ======================================================================

  32. 

  33. Some of Django's built-in validators

  34. (:class:`~django.core.validators.EmailValidator`, most seriously) didn't

  35. prohibit newline characters (due to the usage of ``$`` instead of ``\Z`` in the

  36. regular expressions). If you use values with newlines in HTTP response or email

  37. headers, you can suffer from header injection attacks. Django itself isn't

  38. vulnerable because :class:`~django.http.HttpResponse` and the mail sending

  39. utilities in :mod:`django.core.mail` prohibit newlines in HTTP and SMTP

  40. headers, respectively. While the validators have been fixed in Django, if

  41. you're creating HTTP responses or email messages in other ways, it's a good

  42. idea to ensure that those methods prohibit newlines as well. You might also

  43. want to validate that any existing data in your application doesn't contain

  44. unexpected newlines.

  45. 

  46. :func:`~django.core.validators.validate_ipv4_address`,

  47. :func:`~django.core.validators.validate_slug`, and

  48. :class:`~django.core.validators.URLValidator` and their usage in the

  49. corresponding form fields ``GenericIPAddresseField``, ``IPAddressField``,

  50. ``SlugField``, and ``URLField`` are also affected.

  51. 

  52. The undocumented, internally unused ``validate_integer()`` function is now

  53. stricter as it validates using a regular expression instead of simply casting

  54. the value using ``int()`` and checking if an exception was raised.
About Sign Up Leave Feedback Contact