Catatan terbitan Django 1.4.6

Agustus 13, 2013

Django 1.4.6 memperbaiki satu masalah keamanan yang hadir di terbitan Django sebelumnya di rangkaian 1.4, sama halnya satu kesalahan lainnya.

Ini adalah terbitan keenam perbaikan kesalahan/keamanan di rangkaian Django 1.4.

Mengurangi kemungkinan serangan XSS melalui mengalihkan URL penyediaan-pengguna

Django relies on user input in some cases (e.g. django.contrib.auth.views.login(), django.contrib.comments, and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely django.utils.http.is_safe_url()) didn't check if the scheme is http(s) and as such allowed javascript:... URLs to be entered. If a developer relied on is_safe_url() to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the Location response header and browsers seem to ignore JavaScript there.

Perbaikan kesalahan

  • Diperbaiki sebuah kesalahan mengaburkan dengan penghias override_settings(). Jika anda mengenai sebuah pengecualian ``AttributeError: 'Settings' object has no attribute '_original_allowed_hosts'`, itu mungkin diperbaiki (#20636).
Back to Top