[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted python-django 1.2.3-3+squeeze1 (source all)

Hash: SHA1

Format: 1.8
Date: Tue, 08 Feb 2011 16:02:06 +0000
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
 python-django - High-level Python web development framework
 python-django-doc - High-level Python web development framework (documentation)
 python-django (1.2.3-3+squeeze1) stable-security; urgency=high
   * Resolve two vulnerabilities:
     - Flaw in CSRF handling
       Django includes a cross-site request forgery protection mechanism, which
       makes use of a token inserted into outgoing forms. Middleware then checks
       for the token's presence on form submission, and validates it.
       Previously, however, Django's CSRF protection made an exception for AJAX
       requests, on the following basis:
       1. Many AJAX toolkits add an 'X-Requested-With' header when using
       2. Browsers have strict same-origin policies regarding XMLHttpRequest.
       3. In the context of a browser, the only way that a custom header of this
          nature can be added is with XMLHttpRequest.
       Therefore, for ease of use, Django did not apply CSRF checks to requests
       that appeared to be AJAX on the basis of the X-Requested-With header. The
       Ruby on Rails web framework had a similar exemption.
       Recently, engineers at Google made members of the Ruby on Rails
       development team aware of a combination of browser plugins and redirects
       which can allow an attacker to provide custom HTTP headers on a request
       to any website. This can allow a forged request to appear to be an AJAX
       request, thereby defeating CSRF protection which trusts the same-origin
       nature of AJAX requests.
       Michael Koziarski of the Rails team brought this to the Django
       developers attention, and we were able to produce a proof-of-concept
       demonstrating the same vulnerability in Django's CSRF handling.
       To remedy this, Django will now apply full CSRF validation to all
       requests, regardless of apparent AJAX origin. This is technically
       backwards-incompatible, but the security risks have been judged to
       outweigh the compatibility concerns in this case.
       Extended notes on how to accomodate this change will be added to the
       Django homepage in following days.
     - Potential XSS in file field rendering
       Django's form system includes form fields and widgets for performing file
       uploads; in many cases, the name of the file currently stored in the
       field is displayed. In the process of rendering, the filename is
       displayed without being escaped.
       In many cases this does not result in a cross-site-scripting
       vulnerability, as file-storage backends can and are encouraged to (and
       the default backends provided with Django do) sanitize the supplied
       filename according to their requirements. However, the risk of a
       vulnerability appearing in a backend which does not sanitize, or which
       performs insufficient sanitization, is such that Django will now
       automatically escape filenames in form rendering.
    Thanks to James Bennett <james@b-list.org>.
 d002fea211de1121c3b6227eea197047ba919752 1539 python-django_1.2.3-3+squeeze1.dsc
 f65146218ab61bf5efe715db3fc3a177a24fba0d 6306760 python-django_1.2.3.orig.tar.gz
 1f4d9c41ca7bcd3fdd68787fa29d2b326364366e 26100 python-django_1.2.3-3+squeeze1.debian.tar.gz
 3d026bdc38748b882ea9f32518832f534055afb5 4178508 python-django_1.2.3-3+squeeze1_all.deb
 7c574bc93c571f5c2310073a763ea6a3e4f0be97 1896338 python-django-doc_1.2.3-3+squeeze1_all.deb
 f59a983609850c9de45e0a91c0edd520fa2eb8a6a0db59c726451267640411b0 1539 python-django_1.2.3-3+squeeze1.dsc
 cb830f6038b78037647150d977f6cd5cf2bfd731f1788ecf8758a03c213a0f84 6306760 python-django_1.2.3.orig.tar.gz
 29f1adceb1f1f3559a594d487d139d9027899b22d88dafc49ff60c7e9d3c3c8c 26100 python-django_1.2.3-3+squeeze1.debian.tar.gz
 53254256b817fc4dd5c0feab3f418f420d15f2158dc1bdd91b1d27eaa27d78c2 4178508 python-django_1.2.3-3+squeeze1_all.deb
 ddd5384c35b842123a627238f7068b9d740453da2942a65339f02dedf79f0034 1896338 python-django-doc_1.2.3-3+squeeze1_all.deb
 63da398e7de1902ca47e31615c4d8338 1539 python optional python-django_1.2.3-3+squeeze1.dsc
 10bfb5831bcb4d3b1e6298d0e41d6603 6306760 python optional python-django_1.2.3.orig.tar.gz
 8bb305329f5f59a71e1267e16a2c1af3 26100 python optional python-django_1.2.3-3+squeeze1.debian.tar.gz
 0937bf90335d1bb73f9e79c7a7107d84 4178508 python optional python-django_1.2.3-3+squeeze1_all.deb
 30109ce08726edca9dbf18cd0119c4b8 1896338 doc optional python-django-doc_1.2.3-3+squeeze1_all.deb

Version: GnuPG v1.4.10 (GNU/Linux)


  to main/p/python-django/python-django-doc_1.2.3-3+squeeze1_all.deb
  to main/p/python-django/python-django_1.2.3-3+squeeze1.debian.tar.gz
  to main/p/python-django/python-django_1.2.3-3+squeeze1.dsc
  to main/p/python-django/python-django_1.2.3-3+squeeze1_all.deb

Reply to: