Django 1.7.7 release notes¶
March 18, 2015
Django 1.7.7 fixes several bugs and security issues in 1.7.6.
Mitigated possible XSS attack via user-supplied redirect URLs¶
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n)
to redirect the user to an “on success” URL. The security checks for these
django.utils.http.is_safe_url()) accepted URLs with
leading control characters and so considered URLs like
safe. This issue doesn’t affect Django currently, since we only put this URL
there. Browsers we tested also treat URLs prefixed with control characters such
%08//example.com as relative paths so redirection to an unsafe target
isn’t a problem either.
However, if a developer relies on
provide safe redirect targets and puts such a URL into a link, they could
suffer from an XSS attack as some browsers such as Google Chrome ignore control
characters at the start of a URL in an anchor
- Fixed renaming of classes in migrations where renaming a subclass would cause incorrect state to be recorded for objects that referenced the superclass (#24354).
- Stopped writing migration files in dry run mode when merging migration
makemigrations --mergeis called with
verbosity=3the migration file is written to