diff options
| author | Mark Striemer <mstriemer@mozilla.com> | 2016-02-22 16:47:01 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-03-01 11:25:28 -0500 |
| commit | c5544d289233f501917e25970c03ed444abbd4f0 (patch) | |
| tree | 8fd9abd585ecb7deab514e193401f62012768107 /docs | |
| parent | f43291639bb968001df4719c4e69269bd8a3162b (diff) | |
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.8.10.txt | 16 | ||||
| -rw-r--r-- | docs/releases/1.9.3.txt | 16 |
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/1.8.10.txt b/docs/releases/1.8.10.txt index d93f243720..73c7cc04a4 100644 --- a/docs/releases/1.8.10.txt +++ b/docs/releases/1.8.10.txt @@ -6,6 +6,22 @@ Django 1.8.10 release notes Django 1.8.10 fixes two security issues and several bugs in 1.8.9. +CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth +=============================================================================================================== + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security check for these +redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs +with basic authentication credentials "safe" when they shouldn't be. + +For example, a URL like ``http://mysite.example.com\@attacker.com`` would be +considered safe if the request's host is ``http://mysite.example.com``, but +redirecting to this URL sends the user to ``attacker.com``. + +Also, if a developer relies on ``is_safe_url()`` to provide safe redirect +targets and puts such a URL into a link, they could suffer from an XSS attack. + Bugfixes ======== diff --git a/docs/releases/1.9.3.txt b/docs/releases/1.9.3.txt index 8cc57d8a81..056122b16e 100644 --- a/docs/releases/1.9.3.txt +++ b/docs/releases/1.9.3.txt @@ -6,6 +6,22 @@ Django 1.9.3 release notes Django 1.9.3 fixes two security issues and several bugs in 1.9.2. +CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth +=============================================================================================================== + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security check for these +redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs +with basic authentication credentials "safe" when they shouldn't be. + +For example, a URL like ``http://mysite.example.com\@attacker.com`` would be +considered safe if the request's host is ``http://mysite.example.com``, but +redirecting to this URL sends the user to ``attacker.com``. + +Also, if a developer relies on ``is_safe_url()`` to provide safe redirect +targets and puts such a URL into a link, they could suffer from an XSS attack. + Bugfixes ======== |
