diff options
| author | Tim Graham <timograham@gmail.com> | 2014-05-15 07:11:29 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-05-15 07:16:25 -0400 |
| commit | 860d31ac7a3bdd4b27db8b34b110b3d801ddaf8a (patch) | |
| tree | 496468299f387dea287c9a80de206251a1e02abd /docs/releases/1.5.8.txt | |
| parent | 597ab3ce98e1d73975901da0ee3cdcccd825eeb4 (diff) | |
Minor edits to latest release notes.
Diffstat (limited to 'docs/releases/1.5.8.txt')
| -rw-r--r-- | docs/releases/1.5.8.txt | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/docs/releases/1.5.8.txt b/docs/releases/1.5.8.txt index 0fe3c95f62..16d3db65cd 100644 --- a/docs/releases/1.5.8.txt +++ b/docs/releases/1.5.8.txt @@ -2,17 +2,17 @@ Django 1.5.8 release notes ========================== -*May 13, 2014* - -Django 1.5.8 fixes two security issues in 1.5.8. +*May 14, 2014* +Django 1.5.8 fixes two security issues in 1.5.8. Caches may incorrectly be allowed to store and serve private data ================================================================= + In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests -with a different session, or no session at all. This can both lead to -information disclosure, and can be a vector for cache poisoning. +with a different session, or no session at all. This can lead to +information disclosure and can be a vector for cache poisoning. When using Django sessions, Django will set a ``Vary: Cookie`` header to ensure caches do not serve cached data to requests from other sessions. @@ -22,15 +22,15 @@ Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server types. Therefore, Django would remove the header if the request was made by Internet Explorer. -To remedy this, the special behaviour for these older Internet Explorer versions +To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the ``Vary`` header is no longer stripped from the response. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer -requests with a ``Content-Disposition`` header, have also been removed as they +requests with a ``Content-Disposition`` header have also been removed as they were found to have similar issues. - Malformed redirect URLs from user input not correctly validated =============================================================== + The validation for redirects did not correctly validate some malformed URLs, which are accepted by some browsers. This allows a user to be redirected to an unsafe URL unexpectedly. |