diff options
| author | Tim Graham <timograham@gmail.com> | 2017-03-14 10:46:53 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-04-04 10:00:41 -0400 |
| commit | 254326cb3682389f55f886804d2c43f7b9f23e4f (patch) | |
| tree | b18a37cefa313718667225578174ca7d3b3c85e8 /docs | |
| parent | 5f1ffb07afc1e59729ce2b283124116d6c0659e4 (diff) | |
[1.9.x] Fixed #27912, CVE-2017-7233 -- Fixed is_safe_url() with numeric URLs.
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.8.18.txt | 12 | ||||
| -rw-r--r-- | docs/releases/1.9.13.txt | 12 |
2 files changed, 24 insertions, 0 deletions
diff --git a/docs/releases/1.8.18.txt b/docs/releases/1.8.18.txt index 7b1e08046c..f41c7d080f 100644 --- a/docs/releases/1.8.18.txt +++ b/docs/releases/1.8.18.txt @@ -6,6 +6,18 @@ Django 1.8.18 release notes Django 1.8.18 fixes two security issues in 1.8.17. +CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs +============================================================================================ + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security check for these +redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric +URLs (e.g. ``http:999999999``) "safe" when they shouldn't be. + +Also, if a developer relies on ``is_safe_url()`` to provide safe redirect +targets and puts such a URL into a link, they could suffer from an XSS attack. + CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()`` ============================================================================= diff --git a/docs/releases/1.9.13.txt b/docs/releases/1.9.13.txt index f9d203eafe..4828096da9 100644 --- a/docs/releases/1.9.13.txt +++ b/docs/releases/1.9.13.txt @@ -7,6 +7,18 @@ Django 1.9.13 release notes Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final release of the 1.9.x series. +CVE-2017-7233: Open redirect and possible XSS attack via user-supplied numeric redirect URLs +============================================================================================ + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security check for these +redirects (namely ``django.utils.http.is_safe_url()``) considered some numeric +URLs (e.g. ``http:999999999``) "safe" when they shouldn't be. + +Also, if a developer relies on ``is_safe_url()`` to provide safe redirect +targets and puts such a URL into a link, they could suffer from an XSS attack. + CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()`` ============================================================================= |
