summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.4.14.txt13
-rw-r--r--docs/releases/1.5.9.txt13
-rw-r--r--docs/releases/1.6.6.txt13
3 files changed, 39 insertions, 0 deletions
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt
index d0032e5399..28390c96a4 100644
--- a/docs/releases/1.4.14.txt
+++ b/docs/releases/1.4.14.txt
@@ -5,3 +5,16 @@ Django 1.4.14 release notes
*Under development*
Django 1.4.14 fixes several security issues in 1.4.13.
+
+:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
+=======================================================================================
+
+In certain situations, URL reversing could generate scheme-relative URLs (URLs
+starting with two slashes), which could unexpectedly redirect a user to a
+different host. An attacker could exploit this, for example, by redirecting
+users to a phishing site designed to ask for user's passwords.
+
+To remedy this, URL reversing now ensures that no URL starts with two slashes
+(//), replacing the second slash with its URL encoded counterpart (%2F). This
+approach ensures that semantics stay the same, while making the URL relative to
+the domain and not to the scheme.
diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt
index 4a5233a1fd..12b5b5f806 100644
--- a/docs/releases/1.5.9.txt
+++ b/docs/releases/1.5.9.txt
@@ -5,3 +5,16 @@ Django 1.5.9 release notes
*Under development*
Django 1.5.9 fixes several security issues in 1.5.8.
+
+:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
+=======================================================================================
+
+In certain situations, URL reversing could generate scheme-relative URLs (URLs
+starting with two slashes), which could unexpectedly redirect a user to a
+different host. An attacker could exploit this, for example, by redirecting
+users to a phishing site designed to ask for user's passwords.
+
+To remedy this, URL reversing now ensures that no URL starts with two slashes
+(//), replacing the second slash with its URL encoded counterpart (%2F). This
+approach ensures that semantics stay the same, while making the URL relative to
+the domain and not to the scheme.
diff --git a/docs/releases/1.6.6.txt b/docs/releases/1.6.6.txt
index 0a4519b04d..43b3adf630 100644
--- a/docs/releases/1.6.6.txt
+++ b/docs/releases/1.6.6.txt
@@ -6,6 +6,19 @@ Django 1.6.6 release notes
Django 1.6.6 fixes several security issues and bugs in 1.6.5.
+:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
+=======================================================================================
+
+In certain situations, URL reversing could generate scheme-relative URLs (URLs
+starting with two slashes), which could unexpectedly redirect a user to a
+different host. An attacker could exploit this, for example, by redirecting
+users to a phishing site designed to ask for user's passwords.
+
+To remedy this, URL reversing now ensures that no URL starts with two slashes
+(//), replacing the second slash with its URL encoded counterpart (%2F). This
+approach ensures that semantics stay the same, while making the URL relative to
+the domain and not to the scheme.
+
Bugfixes
========