1. ===========================

  2. Django 1.6.11 release notes

  3. ===========================

  4. 

  5. *March 18, 2015*

  6. 

  7. Django 1.6.11 fixes two security issues in 1.6.10.

  8. 

  9. Denial-of-service possibility with ``strip_tags()``

  10. ===================================================

  11. 

  12. Last year :func:`~django.utils.html.strip_tags`  was changed to work

  13. iteratively. The problem is that the size of the input it's processing can

  14. increase on each iteration which results in an infinite loop in

  15. ``strip_tags()``. This issue only affects versions of Python that haven't

  16. received :bpo:`a bugfix in HTMLParser <20288>`; namely Python < 2.7.7 and

  17. 3.3.5. Some operating system vendors have also backported the fix for the

  18. Python bug into their packages of earlier versions.

  19. 

  20. To remedy this issue, ``strip_tags()`` will now return the original input if

  21. it detects the length of the string it's processing increases. Remember that

  22. absolutely NO guarantee is provided about the results of ``strip_tags()`` being

  23. HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without

  24. escaping it first, for example with :func:`~django.utils.html.escape`.

  25. 

  26. Mitigated possible XSS attack via user-supplied redirect URLs

  27. =============================================================

  28. 

  29. Django relies on user input in some cases (e.g.

  30. ``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)

  31. to redirect the user to an "on success" URL. The security checks for these

  32. redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with

  33. leading control characters and so considered URLs like ``\x08javascript:...``

  34. safe. This issue doesn't affect Django currently, since we only put this URL

  35. into the ``Location`` response header and browsers seem to ignore JavaScript

  36. there. Browsers we tested also treat URLs prefixed with control characters such

  37. as ``%08//example.com`` as relative paths so redirection to an unsafe target

  38. isn't a problem either.

  39. 

  40. However, if a developer relies on ``is_safe_url()`` to

  41. provide safe redirect targets and puts such a URL into a link, they could

  42. suffer from an XSS attack as some browsers such as Google Chrome ignore control

  43. characters at the start of a URL in an anchor ``href``.
About Sign Up Leave Feedback Contact