diff options
| author | Tom Hacohen <tasn@users.noreply.github.com> | 2019-01-04 02:21:55 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2019-01-03 22:09:25 -0500 |
| commit | 1cd00fcf52d089ef0fe03beabd05d59df8ea052a (patch) | |
| tree | 46439a6356b26ef009283d89871370cec1e0949c /docs | |
| parent | b683bb0c9fec43706e4117ef0d690ab4758d8af0 (diff) | |
[1.11.x] Fixed #30070, CVE-2019-3498 -- Fixed content spoofing possiblity in the default 404 page.
Co-Authored-By: Tim Graham <timograham@gmail.com>
Backport of 1ecc0a395be721e987e8e9fdfadde952b6dee1c7 from master.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.18.txt | 18 | ||||
| -rw-r--r-- | docs/releases/index.txt | 1 |
2 files changed, 19 insertions, 0 deletions
diff --git a/docs/releases/1.11.18.txt b/docs/releases/1.11.18.txt new file mode 100644 index 0000000000..82a229e6dd --- /dev/null +++ b/docs/releases/1.11.18.txt @@ -0,0 +1,18 @@ +============================ +Django 1.11.18 release notes +============================ + +*January 4, 2019* + +Django 1.11.18 fixes a security issue in 1.11.17. + +CVE-2019-3498: Content spoofing possibility in the default 404 page +------------------------------------------------------------------- + +An attacker could craft a malicious URL that could make spoofed content appear +on the default page generated by the ``django.views.defaults.page_not_found()`` +view. + +The URL path is no longer displayed in the default 404 template and the +``request_path`` context variable is now quoted to fix the issue for custom +templates that use the path. diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 5bd5ba8b81..719e5f416e 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -26,6 +26,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 1.11.18 1.11.17 1.11.16 1.11.15 |