Agustus 13, 2013
Django 1.4.6 memperbaiki satu masalah keamanan yang hadir di terbitan Django sebelumnya di rangkaian 1.4, sama halnya satu kesalahan lainnya.
Ini adalah terbitan keenam perbaikan kesalahan/keamanan di rangkaian Django 1.4.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login()
, django.contrib.comments
, and
i18n) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
django.utils.http.is_safe_url()
) didn't check if the scheme is http(s)
and as such allowed javascript:...
URLs to be entered. If a developer
relied on is_safe_url()
to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the Location
response
header and browsers seem to ignore JavaScript there.
override_settings()
. Jika anda mengenai sebuah pengecualian ``AttributeError: 'Settings' object has no attribute '_original_allowed_hosts'`, itu mungkin diperbaiki (#20636).Mei 07, 2024