August 13, 2013
This is Django 1.5.2, a bugfix and security release for Django 1.5.
Mitigated possible XSS attack via user-supplied redirect URLs
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login()
, django.contrib.comments
, and
i18n) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
django.utils.http.is_safe_url()
) didn't check if the scheme is http(s)
and as such allowed javascript:...
URLs to be entered. If a developer
relied on is_safe_url()
to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the Location
response
header and browsers seem to ignore JavaScript there.
XSS vulnerability in django.contrib.admin
If a URLField
is used in Django 1.5, it displays the
current value of the field and a link to the target on the admin change page.
The display routine of this widget was flawed and allowed for XSS.
漏洞修复
- Fixed a crash with
prefetch_related()
(#19607) as well as somepickle
regressions withprefetch_related
(#20157 and #20257). - Fixed a regression in
django.contrib.gis
in the Google Map output on Python 3 (#20773). - Made
DjangoTestSuiteRunner.setup_databases
properly handle aliases for the default database (#19940) and preventedteardown_databases
from attempting to tear down aliases (#20681). - Fixed the
django.core.cache.backends.memcached.MemcachedCache
backend'sget_many()
method on Python 3 (#20722). - Fixed
django.contrib.humanize
translation syntax errors. Affected languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695). - Added support for wheel packages (#19252).
- The CSRF token now rotates when a user logs in.
- Some Python 3 compatibility fixes including #20212 and #20025.
- Fixed some rare cases where
get()
exceptions recursed infinitely (#20278). makemessages
no longer crashes withUnicodeDecodeError
(#20354).- Fixed
geojson
detection with SpatiaLite. assertContains()
once again works with binary content (#20237).- Fixed
ManyToManyField
if it has a Unicodename
parameter (#20207). - Ensured that the WSGI request's path is correctly based on the
SCRIPT_NAME
environment variable or theFORCE_SCRIPT_NAME
setting, regardless of whether or not either has a trailing slash (#20169). - Fixed an obscure bug with the
override_settings()
decorator. If you hit anAttributeError: 'Settings' object has no attribute '_original_allowed_hosts'
exception, it's probably fixed (#20636).
讨论区