summaryrefslogtreecommitdiff
path: root/docs/releases/2.0.8.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/2.0.8.txt')
-rw-r--r--docs/releases/2.0.8.txt13
1 files changed, 13 insertions, 0 deletions
diff --git a/docs/releases/2.0.8.txt b/docs/releases/2.0.8.txt
index 8a03071075..849f80d3f8 100644
--- a/docs/releases/2.0.8.txt
+++ b/docs/releases/2.0.8.txt
@@ -6,6 +6,19 @@ Django 2.0.8 release notes
Django 2.0.8 fixes a security issue and several bugs in 2.0.7.
+CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
+=================================================================
+
+If the :class:`~django.middleware.common.CommonMiddleware` and the
+:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
+URL pattern that accepts any path ending in a slash (many content management
+systems have such a pattern), then a request to a maliciously crafted URL of
+that site could lead to a redirect to another site, enabling phishing and other
+attacks.
+
+``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
+domains.
+
Bugfixes
========
generated by cgit v1.3 (git 2.53.0) at 2026-05-02 05:43:42 +0000