Django 1.8.15 release notes¶

September 26, 2016

Django 1.8.15 fixes a security issue in 1.8.14.

CSRF protection bypass on a site with Google Analytics¶

An interaction between Google Analytics and Django’s cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

The parser for request.COOKIES is simplified to better match the behavior of browsers and to mitigate this attack. request.COOKIES may now contain cookies that are invalid according to RFC 6265 but are possible to set via document.cookie.

Django 1.8.16 release notes

Django 1.8.14 release notes

Django 1.8.15 release notes
- CSRF protection bypass on a site with Google Analytics

Browse

FAQ: Try the FAQ — it's got answers to many common questions.
Index, Module Index, or Table of Contents: Handy when looking for specific information.
django-users mailing list: Search for information in the archives of the django-users mailing list, or post a question.
#django IRC channel: Ask a question in the #django IRC channel, or search the IRC logs to see if it’s been asked before.
Django Discord Server: Join the Django Discord Community.
Official Django Forum: Join the community on the Django Forum.
Ticket tracker: Report bugs with Django or Django documentation in our ticket tracker.

Download:

Offline (Django 1.10): HTML | PDF | ePub
Provided by Read the Docs.

Documentation

Django 1.8.15 release notes¶

CSRF protection bypass on a site with Google Analytics¶

Additional Information

Support Django!

Contents

Browse

You are here:

Getting help

Download:

Django Links

Learn More

Get Involved

Get Help

Follow Us

Support Us