summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorMark Striemer <mstriemer@mozilla.com>2016-02-22 16:50:23 -0500
committerTim Graham <timograham@gmail.com>2016-03-01 11:38:49 -0500
commitfc6d147a63f89795dbcdecb0559256470fff4380 (patch)
treefa046fd6a8b3d199c5e27696c5cc0631043033f4 /docs
parent7e799217c5cf1ba365af41c801d5cfbadea18fa9 (diff)
[1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.8.10.txt16
-rw-r--r--docs/releases/1.9.3.txt16
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/1.8.10.txt b/docs/releases/1.8.10.txt
index d93f243720..73c7cc04a4 100644
--- a/docs/releases/1.8.10.txt
+++ b/docs/releases/1.8.10.txt
@@ -6,6 +6,22 @@ Django 1.8.10 release notes
Django 1.8.10 fixes two security issues and several bugs in 1.8.9.
+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
Bugfixes
========
diff --git a/docs/releases/1.9.3.txt b/docs/releases/1.9.3.txt
index 8cc57d8a81..056122b16e 100644
--- a/docs/releases/1.9.3.txt
+++ b/docs/releases/1.9.3.txt
@@ -6,6 +6,22 @@ Django 1.9.3 release notes
Django 1.9.3 fixes two security issues and several bugs in 1.9.2.
+CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
+===============================================================================================================
+
+Django relies on user input in some cases (e.g.
+:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
+to redirect the user to an "on success" URL. The security check for these
+redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
+with basic authentication credentials "safe" when they shouldn't be.
+
+For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
+considered safe if the request's host is ``http://mysite.example.com``, but
+redirecting to this URL sends the user to ``attacker.com``.
+
+Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
+targets and puts such a URL into a link, they could suffer from an XSS attack.
+
Bugfixes
========