[2.0.x] Fixed CVE-2018-14574 -- Fixed open redirect possibility in CommonMiddleware.

author: Andreas Hug <andreas.hug@moccu.com> 2018-07-24 16:18:17 -0400
committer: Tim Graham <timograham@gmail.com> 2018-07-31 10:37:29 -0400
commit: 6fffc3c6d420e44f4029d5643f38d00a39b08525 (patch)
tree: 31633bc12b5f6705f19e8e998773fceba820ab78 /docs/releases/1.11.15.txt
parent: af344691114e4a68334c30543bfb838996328212 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/releases/1.11.15.txt b/docs/releases/1.11.15.txt
index 397681d52e..fca551e772 100644
--- a/docs/releases/1.11.15.txt
+++ b/docs/releases/1.11.15.txt
@@ -5,3 +5,16 @@ Django 1.11.15 release notes
 *August 1, 2018*
 
 Django 1.11.15 fixes a security issue in 1.11.14.
+
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.
author	Andreas Hug <andreas.hug@moccu.com>	2018-07-24 16:18:17 -0400
committer	Tim Graham <timograham@gmail.com>	2018-07-31 10:37:29 -0400
commit	6fffc3c6d420e44f4029d5643f38d00a39b08525 (patch)
tree	31633bc12b5f6705f19e8e998773fceba820ab78 /docs/releases/1.11.15.txt
parent	af344691114e4a68334c30543bfb838996328212 (diff)