blob: fca551e77294d8cb274eb78b5a44c400a913a459 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
============================
Django 1.11.15 release notes
============================
*August 1, 2018*
Django 1.11.15 fixes a security issue in 1.11.14.
CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
=================================================================
If the :class:`~django.middleware.common.CommonMiddleware` and the
:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
URL pattern that accepts any path ending in a slash (many content management
systems have such a pattern), then a request to a maliciously crafted URL of
that site could lead to a redirect to another site, enabling phishing and other
attacks.
``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
domains.
|
