Catatan terbitan Django 1.10.7¶
April 4, 2017
Django 1.10.7 fixes two security issues and a bug in 1.10.6.
CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs¶
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login()
and i18n)
to redirect the user to an “on success” URL. The security check for these
redirects (namely django.utils.http.is_safe_url()
) considered some numeric
URLs (e.g. http:999999999
) “safe” when they shouldn’t be.
Juga, jika seorang pengembang bergantung pada is_safe_url()
untuk menyediakan sasaran pengalihan dan menaruh URL seperti itu kedalam sebuah tautan, mereka dapat menderita dari serangan XSS.
CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()
¶
A maliciously crafted URL to a Django site using the
serve()
view could redirect to any other domain. The
view no longer does any redirects as they don’t provide any known, useful
functionality.
Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid.