diff options
| author | Tim Graham <timograham@gmail.com> | 2014-05-15 07:11:29 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-05-15 07:17:54 -0400 |
| commit | d39fcff11a152e37fbc9a0fb34216415ef2a03da (patch) | |
| tree | c8525d34b409082c790013c38a78043a9dc64e55 | |
| parent | 37d6821d35074ccbf1b0deeeb03561b07dbafd45 (diff) | |
[1.4.x] Minor edits to latest release notes.
Backport of 860d31ac7a3bdd4b27db8b34b110b3d801ddaf8a from master
| -rw-r--r-- | docs/releases/1.4.13.txt | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/docs/releases/1.4.13.txt b/docs/releases/1.4.13.txt index bcbe460af5..978f93580c 100644 --- a/docs/releases/1.4.13.txt +++ b/docs/releases/1.4.13.txt @@ -1,18 +1,18 @@ -========================== +=========================== Django 1.4.13 release notes -========================== +=========================== -*May 13, 2014* +*May 14, 2014* Django 1.4.13 fixes two security issues in 1.4.12. - Caches may incorrectly be allowed to store and serve private data ================================================================= + In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests -with a different session, or no session at all. This can both lead to -information disclosure, and can be a vector for cache poisoning. +with a different session, or no session at all. This can lead to +information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. -To remedy this, the special behaviour for these older Internet Explorer versions +To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer -requests with a ``Content-Disposition`` header, have also been removed as they +requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. - Malformed redirect URLs from user input not correctly validated =============================================================== + The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. |