Security fix released
In accordance with our security policy, a set of releases is being
issued tonight to fix a security vulnerability reported to the Django
project. This entry contains a description of the vulnerability, a
description of the changes made to fix it, pointers to the the
relevant patches for each supported version of Django and pointers to
the resulting releases. A copy of this information will also be posted
to the django-users and django-developers mailing lists. The Django website is being updated to reflect the new releases.
Description of vulnerability
The Django administration application will, when accessed by a user
who is not sufficiently authenticated, display a login form and ask
the user to provide the necessary credentials before displaying the
requested page. This form will be submitted to the URL the user
attempted to access, by supplying the current request path as the
value of the form’s “action” attribute.
The value of the request path was not being escaped, creating an
opportunity for a cross-site scripting (XSS) attack by leading a user
to a URL which contained URL-encoded HTML and/or JavaScript in the
request path.
Affected versions
- Django development trunk
- Django 0.96
- Django 0.95
- Django 0.91
Resolution
The login form has been changed to escape the request path before use
as the form’s submission action.
The relevant changesets for affected versions of Django are:
- Django development trunk: Changeset 7521
- Django 0.96: Changeset 7527
- Django 0.95: Changeset 7528
- Django 0.91: Changeset 7529
The following releases have been issued based on the above changesets:
All users of affected versions of Django are strongly encouraged to
apply the relevant patch or upgrade to the relevant patched release as
soon as possible.
Release manager’s note
If you maintain a third-party Django package and you did not receive
the announcement of these releases earlier tonight, please
email James Bennett (ubernostrum@gmail.com) as soon as possible.
Also, please note that potential security vulnerabilities should be
reported directly to the Django project, at
security@djangoproject.com, as outlined in our security policy. Following this procedure helps us to maintain high standards of
response and disclosure, and makes the process of investigating and
resolving security issues much easier for everyone involved.
(Via The Django weblog.)
