diff options
| author | Mark Striemer <mstriemer@mozilla.com> | 2016-02-22 16:50:23 -0500 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-03-01 11:38:49 -0500 |
| commit | fc6d147a63f89795dbcdecb0559256470fff4380 (patch) | |
| tree | fa046fd6a8b3d199c5e27696c5cc0631043033f4 /docs | |
| parent | 7e799217c5cf1ba365af41c801d5cfbadea18fa9 (diff) | |
[1.9.x] Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth.
This is a security fix.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.8.10.txt | 16 | ||||
| -rw-r--r-- | docs/releases/1.9.3.txt | 16 |
2 files changed, 32 insertions, 0 deletions
diff --git a/docs/releases/1.8.10.txt b/docs/releases/1.8.10.txt index d93f243720..73c7cc04a4 100644 --- a/docs/releases/1.8.10.txt +++ b/docs/releases/1.8.10.txt @@ -6,6 +6,22 @@ Django 1.8.10 release notes Django 1.8.10 fixes two security issues and several bugs in 1.8.9. +CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth +=============================================================================================================== + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security check for these +redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs +with basic authentication credentials "safe" when they shouldn't be. + +For example, a URL like ``http://mysite.example.com\@attacker.com`` would be +considered safe if the request's host is ``http://mysite.example.com``, but +redirecting to this URL sends the user to ``attacker.com``. + +Also, if a developer relies on ``is_safe_url()`` to provide safe redirect +targets and puts such a URL into a link, they could suffer from an XSS attack. + Bugfixes ======== diff --git a/docs/releases/1.9.3.txt b/docs/releases/1.9.3.txt index 8cc57d8a81..056122b16e 100644 --- a/docs/releases/1.9.3.txt +++ b/docs/releases/1.9.3.txt @@ -6,6 +6,22 @@ Django 1.9.3 release notes Django 1.9.3 fixes two security issues and several bugs in 1.9.2. +CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth +=============================================================================================================== + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`) +to redirect the user to an "on success" URL. The security check for these +redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs +with basic authentication credentials "safe" when they shouldn't be. + +For example, a URL like ``http://mysite.example.com\@attacker.com`` would be +considered safe if the request's host is ``http://mysite.example.com``, but +redirecting to this URL sends the user to ``attacker.com``. + +Also, if a developer relies on ``is_safe_url()`` to provide safe redirect +targets and puts such a URL into a link, they could suffer from an XSS attack. + Bugfixes ======== |
