April 4, 2017
Django 1.10.7 fixes two security issues and a bug in 1.10.6.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login()
and i18n)
to redirect the user to an “on success” URL. The security check for these
redirects (namely django.utils.http.is_safe_url()
) considered some numeric
URLs (e.g. http:999999999
) “safe” when they shouldn’t be.
Also, if a developer relies on is_safe_url()
to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.
django.views.static.serve()
¶A maliciously crafted URL to a Django site using the
serve()
view could redirect to any other domain. The
view no longer does any redirects as they don’t provide any known, useful
functionality.
Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid.
May 01, 2019