September 14, 2013
This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses two security issues and one bug.
Denial-of-service via password hashers
In previous versions of Django, no limit was imposed on the plaintext length of a password. This allowed a denial-of-service attack through submission of bogus but extremely large passwords, tying up server resources performing the (expensive, and increasingly expensive with the length of the password) calculation of the corresponding hash.
As of 1.5.4, Django's authentication framework imposes a 4096-byte limit on passwords, and will fail authentication with any submitted password of greater length.
Corrected usage of sensitive_post_parameters()
in django.contrib.auth
’s admin
The decoration of the add_view
and user_change_password
user admin
views with sensitive_post_parameters()
did not include method_decorator()
(required
since the views are methods) resulting in the decorator not being properly
applied. This usage has been fixed and
sensitive_post_parameters()
will now
throw an exception if it's improperly used.
漏洞修复
- Fixed a bug that prevented a
QuerySet
that usesprefetch_related()
from being pickled and unpickled more than once (the second pickling attempt raised an exception) (#21102).
讨论区