diff options
| author | Florian Apolloner <florian@apolloner.eu> | 2014-07-17 21:59:28 +0200 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-20 14:39:40 -0400 |
| commit | 28e765810df46a3f28ff4785491e9973593382fd (patch) | |
| tree | 1f4eb55828ff9cf83a8f7d31df0c3fd1214532ed /docs | |
| parent | ec71191be0947e22630141e726f0e1f298f930df (diff) | |
Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.4.14.txt | 13 | ||||
| -rw-r--r-- | docs/releases/1.5.9.txt | 13 | ||||
| -rw-r--r-- | docs/releases/1.6.6.txt | 13 |
3 files changed, 39 insertions, 0 deletions
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt index d0032e5399..28390c96a4 100644 --- a/docs/releases/1.4.14.txt +++ b/docs/releases/1.4.14.txt @@ -5,3 +5,16 @@ Django 1.4.14 release notes *Under development* Django 1.4.14 fixes several security issues in 1.4.13. + +:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts +======================================================================================= + +In certain situations, URL reversing could generate scheme-relative URLs (URLs +starting with two slashes), which could unexpectedly redirect a user to a +different host. An attacker could exploit this, for example, by redirecting +users to a phishing site designed to ask for user's passwords. + +To remedy this, URL reversing now ensures that no URL starts with two slashes +(//), replacing the second slash with its URL encoded counterpart (%2F). This +approach ensures that semantics stay the same, while making the URL relative to +the domain and not to the scheme. diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt index 4a5233a1fd..12b5b5f806 100644 --- a/docs/releases/1.5.9.txt +++ b/docs/releases/1.5.9.txt @@ -5,3 +5,16 @@ Django 1.5.9 release notes *Under development* Django 1.5.9 fixes several security issues in 1.5.8. + +:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts +======================================================================================= + +In certain situations, URL reversing could generate scheme-relative URLs (URLs +starting with two slashes), which could unexpectedly redirect a user to a +different host. An attacker could exploit this, for example, by redirecting +users to a phishing site designed to ask for user's passwords. + +To remedy this, URL reversing now ensures that no URL starts with two slashes +(//), replacing the second slash with its URL encoded counterpart (%2F). This +approach ensures that semantics stay the same, while making the URL relative to +the domain and not to the scheme. diff --git a/docs/releases/1.6.6.txt b/docs/releases/1.6.6.txt index 0a4519b04d..43b3adf630 100644 --- a/docs/releases/1.6.6.txt +++ b/docs/releases/1.6.6.txt @@ -6,6 +6,19 @@ Django 1.6.6 release notes Django 1.6.6 fixes several security issues and bugs in 1.6.5. +:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts +======================================================================================= + +In certain situations, URL reversing could generate scheme-relative URLs (URLs +starting with two slashes), which could unexpectedly redirect a user to a +different host. An attacker could exploit this, for example, by redirecting +users to a phishing site designed to ask for user's passwords. + +To remedy this, URL reversing now ensures that no URL starts with two slashes +(//), replacing the second slash with its URL encoded counterpart (%2F). This +approach ensures that semantics stay the same, while making the URL relative to +the domain and not to the scheme. + Bugfixes ======== |
