Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added 1.4.7/1.5.3 release notes

  • Loading branch information...
commit baec6a26dd259a0b41f59fa123f7675d8e05de61 1 parent 7fe5b65
Tim Graham authored
25  docs/releases/1.4.7.txt
... ...
@@ -0,0 +1,25 @@
  1
+==========================
  2
+Django 1.4.7 release notes
  3
+==========================
  4
+
  5
+*September 10, 2013*
  6
+
  7
+Django 1.4.7 fixes one security issue present in previous Django releases in
  8
+the 1.4 series.
  9
+
  10
+Directory traversal vulnerability in :ttag:`ssi` template tag
  11
+-------------------------------------------------------------
  12
+
  13
+In previous versions of Django it was possible to bypass the
  14
+:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
  15
+template tag by specifying a relative path that starts with one of the allowed
  16
+roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
  17
+would be possible:
  18
+
  19
+.. code-block:: html+django
  20
+
  21
+    {% ssi "/var/www/../../etc/passwd" %}
  22
+
  23
+In practice this is not a very common problem, as it would require the template
  24
+author to put the :ttag:`ssi` file in a user-controlled variable, but it's
  25
+possible in principle.
50  docs/releases/1.5.3.txt
... ...
@@ -0,0 +1,50 @@
  1
+==========================
  2
+Django 1.5.3 release notes
  3
+==========================
  4
+
  5
+*September 10, 2013*
  6
+
  7
+This is Django 1.5.3, the third release in the Django 1.5 series. It addresses
  8
+one security issue and also contains an opt-in feature to enhance the security
  9
+of :mod:`django.contrib.sessions`.
  10
+
  11
+Directory traversal vulnerability in :ttag:`ssi` template tag
  12
+-------------------------------------------------------------
  13
+
  14
+In previous versions of Django it was possible to bypass the
  15
+:setting:`ALLOWED_INCLUDE_ROOTS` setting used for security with the :ttag:`ssi`
  16
+template tag by specifying a relative path that starts with one of the allowed
  17
+roots. For example, if ``ALLOWED_INCLUDE_ROOTS = ("/var/www",)`` the following
  18
+would be possible:
  19
+
  20
+.. code-block:: html+django
  21
+
  22
+    {% ssi "/var/www/../../etc/passwd" %}
  23
+
  24
+In practice this is not a very common problem, as it would require the template
  25
+author to put the :ttag:`ssi` file in a user-controlled variable, but it's
  26
+possible in principle.
  27
+
  28
+Mitigating a remote-code execution vulnerability in :mod:`django.contrib.sessions`
  29
+----------------------------------------------------------------------------------
  30
+
  31
+:mod:`django.contrib.sessions` currently uses :mod:`pickle` to serialize
  32
+session data before storing it in the backend. If you're using the :ref:`signed
  33
+cookie session backend<cookie-session-backend>` and :setting:`SECRET_KEY` is
  34
+known by an attacker (there isn't an inherent vulnerability in Django that
  35
+would cause it to leak), the attacker could insert a string into his session
  36
+which, when unpickled, executes arbitrary code on the server. The technique for
  37
+doing so is simple and easily available on the internet. Although the cookie
  38
+session storage signs the cookie-stored data to prevent tampering, a
  39
+:setting:`SECRET_KEY` leak immediately escalates to a remote code execution
  40
+vulnerability.
  41
+
  42
+This attack can be mitigated by serializing session data using JSON rather
  43
+than :mod:`pickle`. To facilitate this, Django 1.5.3 introduces a new setting,
  44
+:setting:`SESSION_SERIALIZER`, to customize the session serialization format.
  45
+For backwards compatibility, this setting defaults to using :mod:`pickle`.
  46
+While JSON serialization does not support all Python objects like :mod:`pickle`
  47
+does, we highly recommend switching to JSON-serialized values. Also,
  48
+as JSON requires string keys, you will likely run into problems if you are
  49
+using non-string keys in ``request.session``. See the
  50
+:ref:`session_serialization` documentation for more details.
2  docs/releases/index.txt
@@ -36,6 +36,7 @@ Final releases
36 36
 .. toctree::
37 37
    :maxdepth: 1
38 38
 
  39
+   1.5.3
39 40
    1.5.2
40 41
    1.5.1
41 42
    1.5
@@ -45,6 +46,7 @@ Final releases
45 46
 .. toctree::
46 47
    :maxdepth: 1
47 48
 
  49
+   1.4.7
48 50
    1.4.6
49 51
    1.4.5
50 52
    1.4.4

0 notes on commit baec6a2

Please sign in to comment.
Something went wrong with that request. Please try again.