diff options
| author | Tim Graham <timograham@gmail.com> | 2015-03-09 20:05:13 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-03-18 19:20:07 -0400 |
| commit | 011a54315e46acdf288003566b8570440f5ac985 (patch) | |
| tree | 73e17756bfed3b234c5a499eb1fa9cb75a4084e3 /docs | |
| parent | 1c83fc88d6928a5ab53bc3dde79dad3cc0bfcfdc (diff) | |
Made is_safe_url() reject URLs that start with control characters.
This is a security fix; disclosure to follow shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.4.20.txt | 19 | ||||
| -rw-r--r-- | docs/releases/1.6.11.txt | 19 | ||||
| -rw-r--r-- | docs/releases/1.7.7.txt | 19 |
3 files changed, 57 insertions, 0 deletions
diff --git a/docs/releases/1.4.20.txt b/docs/releases/1.4.20.txt index 9c46c5510f..f2ca5ac103 100644 --- a/docs/releases/1.4.20.txt +++ b/docs/releases/1.4.20.txt @@ -5,3 +5,22 @@ Django 1.4.20 release notes *March 18, 2015* Django 1.4.20 fixes one security issue in 1.4.19. + +Mitigated possible XSS attack via user-supplied redirect URLs +============================================================= + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security checks for these +redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with +leading control characters and so considered URLs like ``\x08javascript:...`` +safe. This issue doesn't affect Django currently, since we only put this URL +into the ``Location`` response header and browsers seem to ignore JavaScript +there. Browsers we tested also treat URLs prefixed with control characters such +as ``%08//example.com`` as relative paths so redirection to an unsafe target +isn't a problem either. + +However, if a developer relies on ``is_safe_url()`` to +provide safe redirect targets and puts such a URL into a link, they could +suffer from an XSS attack as some browsers such as Google Chrome ignore control +characters at the start of a URL in an anchor ``href``. diff --git a/docs/releases/1.6.11.txt b/docs/releases/1.6.11.txt index a7d020c004..f1063fcff7 100644 --- a/docs/releases/1.6.11.txt +++ b/docs/releases/1.6.11.txt @@ -22,3 +22,22 @@ it detects the length of the string it's processing increases. Remember that absolutely NO guarantee is provided about the results of ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without escaping it first, for example with :func:`~django.utils.html.escape`. + +Mitigated possible XSS attack via user-supplied redirect URLs +============================================================= + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security checks for these +redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with +leading control characters and so considered URLs like ``\x08javascript:...`` +safe. This issue doesn't affect Django currently, since we only put this URL +into the ``Location`` response header and browsers seem to ignore JavaScript +there. Browsers we tested also treat URLs prefixed with control characters such +as ``%08//example.com`` as relative paths so redirection to an unsafe target +isn't a problem either. + +However, if a developer relies on ``is_safe_url()`` to +provide safe redirect targets and puts such a URL into a link, they could +suffer from an XSS attack as some browsers such as Google Chrome ignore control +characters at the start of a URL in an anchor ``href``. diff --git a/docs/releases/1.7.7.txt b/docs/releases/1.7.7.txt index c8c7aa9ee5..ff14dab1e0 100644 --- a/docs/releases/1.7.7.txt +++ b/docs/releases/1.7.7.txt @@ -23,6 +23,25 @@ absolutely NO guarantee is provided about the results of ``strip_tags()`` being HTML safe. So NEVER mark safe the result of a ``strip_tags()`` call without escaping it first, for example with :func:`~django.utils.html.escape`. +Mitigated possible XSS attack via user-supplied redirect URLs +============================================================= + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security checks for these +redirects (namely ``django.utils.http.is_safe_url()``) accepted URLs with +leading control characters and so considered URLs like ``\x08javascript:...`` +safe. This issue doesn't affect Django currently, since we only put this URL +into the ``Location`` response header and browsers seem to ignore JavaScript +there. Browsers we tested also treat URLs prefixed with control characters such +as ``%08//example.com`` as relative paths so redirection to an unsafe target +isn't a problem either. + +However, if a developer relies on ``is_safe_url()`` to +provide safe redirect targets and puts such a URL into a link, they could +suffer from an XSS attack as some browsers such as Google Chrome ignore control +characters at the start of a URL in an anchor ``href``. + Bugfixes ======== |
