Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.2.X] Fixed #15253, #15259 -- Added 1.1.4 release notes, added a se…

…ction on CSRF changes to the 1.3 release notes, and corrected the example in the 1.2.5 release notes. Thanks to Gary Wilson and Mark Hellewell for the reports.

Backport of r15482 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@15483 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 5c4acfec0e39f91328f4d5637b4c312e7366b3cb 1 parent e62e740
Russell Keith-Magee authored
78  docs/releases/1.1.4.txt
... ...
@@ -0,0 +1,78 @@
  1
+==========================
  2
+Django 1.1.4 release notes
  3
+==========================
  4
+
  5
+Welcome to Django 1.1.4!
  6
+
  7
+This is the fourth "bugfix" release in the Django 1.1 series,
  8
+improving the stability and performance of the Django 1.1 codebase.
  9
+
  10
+With one exception, Django 1.1.4 maintains backwards compatibility
  11
+with Django 1.1.3, but contain a number of fixes and other
  12
+improvements. Django 1.1.4 is a recommended upgrade for any
  13
+development or deployment currently using or targeting Django 1.1.
  14
+
  15
+For full details on the new features, backwards incompatibilities, and
  16
+deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
  17
+
  18
+Backwards-incompatible changes in 1.1.4
  19
+=======================================
  20
+
  21
+CSRF exception for AJAX requests
  22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  23
+
  24
+Django includes a CSRF-protection mechanism, which makes use of a
  25
+token inserted into outgoing forms. Middleware then checks for the
  26
+token's presence on form submission, and validates it.
  27
+
  28
+Prior to Django 1.2.5, our CSRF protection made an exception for AJAX
  29
+requests, on the following basis:
  30
+
  31
+    * Many AJAX toolkits add an X-Requested-With header when using
  32
+      XMLHttpRequest.
  33
+
  34
+    * Browsers have strict same-origin policies regarding
  35
+      XMLHttpRequest.
  36
+
  37
+    * In the context of a browser, the only way that a custom header
  38
+      of this nature can be added is with XMLHttpRequest.
  39
+
  40
+Therefore, for ease of use, we did not apply CSRF checks to requests
  41
+that appeared to be AJAX on the basis of the X-Requested-With header.
  42
+The Ruby on Rails web framework had a similar exemption.
  43
+
  44
+Recently, engineers at Google made members of the Ruby on Rails
  45
+development team aware of a combination of browser plugins and
  46
+redirects which can allow an attacker to provide custom HTTP headers
  47
+on a request to any website. This can allow a forged request to appear
  48
+to be an AJAX request, thereby defeating CSRF protection which trusts
  49
+the same-origin nature of AJAX requests.
  50
+
  51
+Michael Koziarski of the Rails team brought this to our attention, and
  52
+we were able to produce a proof-of-concept demonstrating the same
  53
+vulnerability in Django's CSRF handling.
  54
+
  55
+To remedy this, Django will now apply full CSRF validation to all
  56
+requests, regardless of apparent AJAX origin. This is technically
  57
+backwards-incompatible, but the security risks have been judged to
  58
+outweigh the compatibility concerns in this case.
  59
+
  60
+Additionally, Django will now accept the CSRF token in the custom HTTP
  61
+header X-CSRFTOKEN, as well as in the form submission itself, for ease
  62
+of use with popular JavaScript toolkits which allow insertion of
  63
+custom headers into all AJAX requests.
  64
+
  65
+The following example using the jQuery JavaScript toolkit demonstrates
  66
+this; the call to jQuery's ajaxSetup will cause all AJAX requests to
  67
+send back the CSRF token in the custom X-CSRFTOKEN header::
  68
+
  69
+    $.ajaxSetup({
  70
+        beforeSend: function(xhr, settings) {
  71
+            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
  72
+                // Only send the token to relative URLs i.e. locally.
  73
+                xhr.setRequestHeader("X-CSRFToken",
  74
+                                     $("#csrfmiddlewaretoken").val());
  75
+            }
  76
+        }
  77
+    });
  78
+
28  docs/releases/1.2.5.txt
@@ -7,7 +7,7 @@ Welcome to Django 1.2.5!
7 7
 This is the fifth "bugfix" release in the Django 1.2 series,
8 8
 improving the stability and performance of the Django 1.2 codebase.
9 9
 
10  
-With three exceptions, Django 1.2.5 maintains backwards compatibility
  10
+With four exceptions, Django 1.2.5 maintains backwards compatibility
11 11
 with Django 1.2.4, but contain a number of fixes and other
12 12
 improvements. Django 1.2.5 is a recommended upgrade for any
13 13
 development or deployment currently using or targeting Django 1.2.
@@ -67,14 +67,28 @@ this; the call to jQuery's ajaxSetup will cause all AJAX requests to
67 67
 send back the CSRF token in the custom X-CSRFTOKEN header::
68 68
 
69 69
     $.ajaxSetup({
70  
-            beforeSend: function(xhr, settings) {
71  
-                if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
72  
-                    // Only send the token to relative URLs i.e. locally.
73  
-                    xhr.setRequestHeader("X-CSRFToken",
74  
-                                         $("#csrfmiddlewaretoken").val());
  70
+        beforeSend: function(xhr, settings) {
  71
+            function getCookie(name) {
  72
+                var cookieValue = null;
  73
+                if (document.cookie && document.cookie != '') {
  74
+                    var cookies = document.cookie.split(';');
  75
+                    for (var i = 0; i < cookies.length; i++) {
  76
+                        var cookie = jQuery.trim(cookies[i]);
  77
+                        // Does this cookie string begin with the name we want?
  78
+                        if (cookie.substring(0, name.length + 1) == (name + '=')) {
  79
+                            cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
  80
+                            break;
  81
+                        }
  82
+                    }
75 83
                 }
  84
+                return cookieValue;
76 85
             }
77  
-        });
  86
+            if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
  87
+                // Only send the token to relative URLs i.e. locally.
  88
+                xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
  89
+            }
  90
+        }
  91
+    });
78 92
 
79 93
 
80 94
 FileField no longer deletes files
1  docs/releases/index.txt
@@ -29,6 +29,7 @@ Final releases
29 29
 .. toctree::
30 30
    :maxdepth: 1
31 31
 
  32
+   1.1.4
32 33
    1.1.2
33 34
    1.1
34 35
 

0 notes on commit 5c4acfe

Please sign in to comment.
Something went wrong with that request. Please try again.