Catatan terbitan Django 1.10.7

April 4, 2017

Django 1.10.7 fixes two security issues and a bug in 1.10.6.

CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs

Django relies on user input in some cases (e.g. django.contrib.auth.views.login() and i18n) to redirect the user to an “on success” URL. The security check for these redirects (namely django.utils.http.is_safe_url()) considered some numeric URLs (e.g. http:999999999) “safe” when they shouldn’t be.

Juga, jika seorang pengembang bergantung pada is_safe_url() untuk menyediakan sasaran pengalihan dan menaruh URL seperti itu kedalam sebuah tautan, mereka dapat menderita dari serangan XSS.

CVE-2017-7234: Open redirect vulnerability in django.views.static.serve()

A maliciously crafted URL to a Django site using the serve() view could redirect to any other domain. The view no longer does any redirects as they don’t provide any known, useful functionality.

Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid.

Perbaikan kesalahan

  • Dibuat RelatedFieldWidgetWrapper admin menggunakan dibungkus metode value_omitted_from_data() widget (#27905).

  • Fixed model form default fallback for SelectMultiple (#27993).
Back to Top