summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMark Striemer <mstriemer@mozilla.com>2016-02-22 16:47:01 -0500
committerTim Graham <timograham@gmail.com>2016-03-01 11:25:28 -0500
commitc5544d289233f501917e25970c03ed444abbd4f0 (patch)
tree8fd9abd585ecb7deab514e193401f62012768107 /docs
parentf43291639bb968001df4719c4e69269bd8a3162b (diff)
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.8.10.txt16
-rw-r--r--docs/releases/1.9.3.txt16
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/1.8.10.txt b/docs/releases/1.8.10.txt
index d93f243720..73c7cc04a4 100644
--- a/docs/releases/1.8.10.txt
+++ b/docs/releases/1.8.10.txt
@@ -6,6 +6,22 @@ Django 1.8.10 release notes
Django 1.8.10 fixes two security issues and several bugs in 1.8.9.
+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
Bugfixes
========
diff --git a/docs/releases/1.9.3.txt b/docs/releases/1.9.3.txt
index 8cc57d8a81..056122b16e 100644
--- a/docs/releases/1.9.3.txt
+++ b/docs/releases/1.9.3.txt
@@ -6,6 +6,22 @@ Django 1.9.3 release notes
Django 1.9.3 fixes two security issues and several bugs in 1.9.2.
+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
Bugfixes
========