Accepted python-django 1.2.3-3+squeeze1 (source all)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 08 Feb 2011 16:02:06 +0000
Source: python-django
Binary: python-django python-django-doc
Architecture: source all
Version: 1.2.3-3+squeeze1
Distribution: stable-security
Urgency: high
Maintainer: Chris Lamb <lamby@debian.org>
Changed-By: Chris Lamb <lamby@debian.org>
Description:
python-django - High-level Python web development framework
python-django-doc - High-level Python web development framework (documentation)
Changes:
python-django (1.2.3-3+squeeze1) stable-security; urgency=high
.
* Resolve two vulnerabilities:
.
- Flaw in CSRF handling
.
Django includes a cross-site request forgery protection mechanism, which
makes use of a token inserted into outgoing forms. Middleware then checks
for the token's presence on form submission, and validates it.
.
Previously, however, Django's CSRF protection made an exception for AJAX
requests, on the following basis:
.
1. Many AJAX toolkits add an 'X-Requested-With' header when using
XMLHttpRequest.
.
2. Browsers have strict same-origin policies regarding XMLHttpRequest.
.
3. In the context of a browser, the only way that a custom header of this
nature can be added is with XMLHttpRequest.
.
Therefore, for ease of use, Django did not apply CSRF checks to requests
that appeared to be AJAX on the basis of the X-Requested-With header. The
Ruby on Rails web framework had a similar exemption.
.
Recently, engineers at Google made members of the Ruby on Rails
development team aware of a combination of browser plugins and redirects
which can allow an attacker to provide custom HTTP headers on a request
to any website. This can allow a forged request to appear to be an AJAX
request, thereby defeating CSRF protection which trusts the same-origin
nature of AJAX requests.
.
Michael Koziarski of the Rails team brought this to the Django
developers attention, and we were able to produce a proof-of-concept
demonstrating the same vulnerability in Django's CSRF handling.
.
To remedy this, Django will now apply full CSRF validation to all
requests, regardless of apparent AJAX origin. This is technically
backwards-incompatible, but the security risks have been judged to
outweigh the compatibility concerns in this case.
.
Extended notes on how to accomodate this change will be added to the
Django homepage in following days.
.
- Potential XSS in file field rendering
.
Django's form system includes form fields and widgets for performing file
uploads; in many cases, the name of the file currently stored in the
field is displayed. In the process of rendering, the filename is
displayed without being escaped.
.
In many cases this does not result in a cross-site-scripting
vulnerability, as file-storage backends can and are encouraged to (and
the default backends provided with Django do) sanitize the supplied
filename according to their requirements. However, the risk of a
vulnerability appearing in a backend which does not sanitize, or which
performs insufficient sanitization, is such that Django will now
automatically escape filenames in form rendering.
.
Thanks to James Bennett <james@b-list.org>.
Checksums-Sha1:
d002fea211de1121c3b6227eea197047ba919752 1539 python-django_1.2.3-3+squeeze1.dsc
f65146218ab61bf5efe715db3fc3a177a24fba0d 6306760 python-django_1.2.3.orig.tar.gz
1f4d9c41ca7bcd3fdd68787fa29d2b326364366e 26100 python-django_1.2.3-3+squeeze1.debian.tar.gz
3d026bdc38748b882ea9f32518832f534055afb5 4178508 python-django_1.2.3-3+squeeze1_all.deb
7c574bc93c571f5c2310073a763ea6a3e4f0be97 1896338 python-django-doc_1.2.3-3+squeeze1_all.deb
Checksums-Sha256:
f59a983609850c9de45e0a91c0edd520fa2eb8a6a0db59c726451267640411b0 1539 python-django_1.2.3-3+squeeze1.dsc
cb830f6038b78037647150d977f6cd5cf2bfd731f1788ecf8758a03c213a0f84 6306760 python-django_1.2.3.orig.tar.gz
29f1adceb1f1f3559a594d487d139d9027899b22d88dafc49ff60c7e9d3c3c8c 26100 python-django_1.2.3-3+squeeze1.debian.tar.gz
53254256b817fc4dd5c0feab3f418f420d15f2158dc1bdd91b1d27eaa27d78c2 4178508 python-django_1.2.3-3+squeeze1_all.deb
ddd5384c35b842123a627238f7068b9d740453da2942a65339f02dedf79f0034 1896338 python-django-doc_1.2.3-3+squeeze1_all.deb
Files:
63da398e7de1902ca47e31615c4d8338 1539 python optional python-django_1.2.3-3+squeeze1.dsc
10bfb5831bcb4d3b1e6298d0e41d6603 6306760 python optional python-django_1.2.3.orig.tar.gz
8bb305329f5f59a71e1267e16a2c1af3 26100 python optional python-django_1.2.3-3+squeeze1.debian.tar.gz
0937bf90335d1bb73f9e79c7a7107d84 4178508 python optional python-django_1.2.3-3+squeeze1_all.deb
30109ce08726edca9dbf18cd0119c4b8 1896338 doc optional python-django-doc_1.2.3-3+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk1WWXsACgkQ5/8uW2NPmiCHSACgkpX9eVDK6ffaoVVe5/4hxGZn
Dv0An3nTriTLL3C03b5kgrQnleBK50yC
=4ROd
-----END PGP SIGNATURE-----
Accepted:
python-django-doc_1.2.3-3+squeeze1_all.deb
to main/p/python-django/python-django-doc_1.2.3-3+squeeze1_all.deb
python-django_1.2.3-3+squeeze1.debian.tar.gz
to main/p/python-django/python-django_1.2.3-3+squeeze1.debian.tar.gz
python-django_1.2.3-3+squeeze1.dsc
to main/p/python-django/python-django_1.2.3-3+squeeze1.dsc
python-django_1.2.3-3+squeeze1_all.deb
to main/p/python-django/python-django_1.2.3-3+squeeze1_all.deb
Reply to: