Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

[1.3.x] Added missing release notes for older versions of Django

Backport of 3f6cc33 from master
  • Loading branch information...
commit 7dd37edf6292ad0d24059e7039cabefceca32caa 1 parent 956b755
Tim Graham authored August 12, 2013
14  docs/releases/1.3.2.txt
... ...
@@ -0,0 +1,14 @@
  1
+==========================
  2
+Django 1.3.2 release notes
  3
+==========================
  4
+
  5
+*July 30, 2012*
  6
+
  7
+This is the second security release in the Django 1.3 series, fixing several
  8
+security issues in Django 1.3. Django 1.3.2 is a recommended upgrade for
  9
+all users of Django 1.3.
  10
+
  11
+For a full list of issues addressed in this release, see the `security
  12
+advisory`_.
  13
+
  14
+.. _security advisory: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
11  docs/releases/1.3.3.txt
... ...
@@ -0,0 +1,11 @@
  1
+==========================
  2
+Django 1.3.3 release notes
  3
+==========================
  4
+
  5
+*August 1, 2012*
  6
+
  7
+Following Monday's security release of :doc:`Django 1.3.2 </releases/1.3.2>`,
  8
+we began receiving reports that one of the fixes applied was breaking Python
  9
+2.4 compatibility for Django 1.3. Since Python 2.4 is a supported Python
  10
+version for that release series, this release fixes compatibility with
  11
+Python 2.4.
37  docs/releases/1.3.4.txt
... ...
@@ -0,0 +1,37 @@
  1
+==========================
  2
+Django 1.3.4 release notes
  3
+==========================
  4
+
  5
+*October 17, 2012*
  6
+
  7
+This is the fourth release in the Django 1.3 series.
  8
+
  9
+Host header poisoning
  10
+---------------------
  11
+
  12
+Some parts of Django -- independent of end-user-written applications -- make
  13
+use of full URLs, including domain name, which are generated from the HTTP Host
  14
+header. Some attacks against this are beyond Django's ability to control, and
  15
+require the web server to be properly configured; Django's documentation has
  16
+for some time contained notes advising users on such configuration.
  17
+
  18
+Django's own built-in parsing of the Host header is, however, still vulnerable,
  19
+as was reported to us recently. The Host header parsing in Django 1.3.3 and
  20
+Django 1.4.1 -- specifically, ``django.http.HttpRequest.get_host()`` -- was
  21
+incorrectly handling username/password information in the header. Thus, for
  22
+example, the following Host header would be accepted by Django when running on
  23
+"validsite.com"::
  24
+
  25
+    Host: validsite.com:random@evilsite.com
  26
+
  27
+Using this, an attacker can cause parts of Django -- particularly the
  28
+password-reset mechanism -- to generate and display arbitrary URLs to users.
  29
+
  30
+To remedy this, the parsing in ``HttpRequest.get_host()`` is being modified;
  31
+Host headers which contain potentially dangerous content (such as
  32
+username/password pairs) now raise the exception
  33
+:exc:`django.core.exceptions.SuspiciousOperation`.
  34
+
  35
+Details of this issue were initially posted online as a `security advisory`_.
  36
+
  37
+.. _security advisory: https://www.djangoproject.com/weblog/2012/oct/17/security/
60  docs/releases/1.3.5.txt
... ...
@@ -0,0 +1,60 @@
  1
+==========================
  2
+Django 1.3.5 release notes
  3
+==========================
  4
+
  5
+*December 10, 2012*
  6
+
  7
+Django 1.3.5 addresses two security issues present in previous Django releases
  8
+in the 1.3 series.
  9
+
  10
+Please be aware that this security release is slightly different from previous
  11
+ones. Both issues addressed here have been dealt with in prior security updates
  12
+to Django. In one case, we have received ongoing reports of problems, and in
  13
+the other we've chosen to take further steps to tighten up Django's code in
  14
+response to independent discovery of potential problems from multiple sources.
  15
+
  16
+Host header poisoning
  17
+---------------------
  18
+
  19
+Several earlier Django security releases focused on the issue of poisoning the
  20
+HTTP Host header, causing Django to generate URLs pointing to arbitrary,
  21
+potentially-malicious domains.
  22
+
  23
+In response to further input received and reports of continuing issues
  24
+following the previous release, we're taking additional steps to tighten Host
  25
+header validation. Rather than attempt to accommodate all features HTTP
  26
+supports here, Django's Host header validation attempts to support a smaller,
  27
+but far more common, subset:
  28
+
  29
+* Hostnames must consist of characters [A-Za-z0-9] plus hyphen ('-') or dot
  30
+  ('.').
  31
+* IP addresses -- both IPv4 and IPv6 -- are permitted.
  32
+* Port, if specified, is numeric.
  33
+
  34
+Any deviation from this will now be rejected, raising the exception
  35
+:exc:`django.core.exceptions.SuspiciousOperation`.
  36
+
  37
+Redirect poisoning
  38
+------------------
  39
+
  40
+Also following up on a previous issue: in July of this year, we made changes to
  41
+Django's HTTP redirect classes, performing additional validation of the scheme
  42
+of the URL to redirect to (since, both within Django's own supplied
  43
+applications and many third-party applications, accepting a user-supplied
  44
+redirect target is a common pattern).
  45
+
  46
+Since then, two independent audits of the code turned up further potential
  47
+problems. So, similar to the Host-header issue, we are taking steps to provide
  48
+tighter validation in response to reported problems (primarily with third-party
  49
+applications, but to a certain extent also within Django itself). This comes in
  50
+two parts:
  51
+
  52
+1. A new utility function, ``django.utils.http.is_safe_url``, is added; this
  53
+function takes a URL and a hostname, and checks that the URL is either
  54
+relative, or if absolute matches the supplied hostname. This function is
  55
+intended for use whenever user-supplied redirect targets are accepted, to
  56
+ensure that such redirects cannot lead to arbitrary third-party sites.
  57
+
  58
+2. All of Django's own built-in views -- primarily in the authentication system
  59
+-- which allow user-supplied redirect targets now use ``is_safe_url`` to
  60
+validate the supplied URL.
13  docs/releases/1.3.7.txt
... ...
@@ -0,0 +1,13 @@
  1
+==========================
  2
+Django 1.3.7 release notes
  3
+==========================
  4
+
  5
+*February 20, 2013*
  6
+
  7
+Django 1.3.7 corrects a packaging problem with yesterday's :doc:`1.3.6 release
  8
+</releases/1.3.6>`.
  9
+
  10
+The release contained stray ``.pyc`` files that caused "bad magic number"
  11
+errors when running with some versions of Python. This releases corrects this,
  12
+and also fixes a bad documentation link in the project template ``settings.py``
  13
+file generated by ``manage.py startproject``.
5  docs/releases/index.txt
@@ -19,7 +19,12 @@ Final releases
19 19
 .. toctree::
20 20
    :maxdepth: 1
21 21
 
  22
+   1.3.7
22 23
    1.3.6
  24
+   1.3.5
  25
+   1.3.4
  26
+   1.3.3
  27
+   1.3.2
23 28
    1.3.1
24 29
    1.3
25 30
 

0 notes on commit 7dd37ed

Please sign in to comment.
Something went wrong with that request. Please try again.