<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.5.3 release notes — Django 1.5.9 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.5.9', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="top" title="Django 1.5.9 documentation" href="../index.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.5.2 release notes" href="1.5.2.html" /> <link rel="prev" title="Django 1.5.4 release notes" href="1.5.4.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.5.9 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.5.4.html" title="Django 1.5.4 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.5.2.html" title="Django 1.5.2 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.5.3"> <div class="section" id="s-django-1-5-3-release-notes"> <span id="django-1-5-3-release-notes"></span><h1>Django 1.5.3 release notes<a class="headerlink" href="#django-1-5-3-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>September 10, 2013</em></p> <p>This is Django 1.5.3, the third release in the Django 1.5 series. It addresses one security issue and also contains an opt-in feature to enhance the security of <a class="reference internal" href="../topics/http/sessions.html#module-django.contrib.sessions" title="django.contrib.sessions: Provides session management for Django projects."><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.sessions</span></tt></a>.</p> <div class="section" id="s-directory-traversal-vulnerability-in-ssi-template-tag"> <span id="directory-traversal-vulnerability-in-ssi-template-tag"></span><h2>Directory traversal vulnerability in <a class="reference internal" href="../ref/templates/builtins.html#std:templatetag-ssi"><tt class="xref std std-ttag docutils literal"><span class="pre">ssi</span></tt></a> template tag<a class="headerlink" href="#directory-traversal-vulnerability-in-ssi-template-tag" title="Permalink to this headline">¶</a></h2> <p>In previous versions of Django it was possible to bypass the <a class="reference internal" href="../ref/settings.html#std:setting-ALLOWED_INCLUDE_ROOTS"><tt class="xref std std-setting docutils literal"><span class="pre">ALLOWED_INCLUDE_ROOTS</span></tt></a> setting used for security with the <a class="reference internal" href="../ref/templates/builtins.html#std:templatetag-ssi"><tt class="xref std std-ttag docutils literal"><span class="pre">ssi</span></tt></a> template tag by specifying a relative path that starts with one of the allowed roots. For example, if <tt class="docutils literal"><span class="pre">ALLOWED_INCLUDE_ROOTS</span> <span class="pre">=</span> <span class="pre">("/var/www",)</span></tt> the following would be possible:</p> <div class="highlight-html+django"><div class="highlight"><pre><span class="cp">{%</span> <span class="k">ssi</span> <span class="s2">"/var/www/../../etc/passwd"</span> <span class="cp">%}</span> </pre></div> </div> <p>In practice this is not a very common problem, as it would require the template author to put the <a class="reference internal" href="../ref/templates/builtins.html#std:templatetag-ssi"><tt class="xref std std-ttag docutils literal"><span class="pre">ssi</span></tt></a> file in a user-controlled variable, but it’s possible in principle.</p> </div> <div class="section" id="s-mitigating-a-remote-code-execution-vulnerability-in-django-contrib-sessions"> <span id="mitigating-a-remote-code-execution-vulnerability-in-django-contrib-sessions"></span><h2>Mitigating a remote-code execution vulnerability in <a class="reference internal" href="../topics/http/sessions.html#module-django.contrib.sessions" title="django.contrib.sessions: Provides session management for Django projects."><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.sessions</span></tt></a><a class="headerlink" href="#mitigating-a-remote-code-execution-vulnerability-in-django-contrib-sessions" title="Permalink to this headline">¶</a></h2> <p><a class="reference internal" href="../topics/http/sessions.html#module-django.contrib.sessions" title="django.contrib.sessions: Provides session management for Django projects."><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.sessions</span></tt></a> currently uses <a class="reference external" href="http://docs.python.org/2.7/library/pickle.html#module-pickle" title="(in Python v2.7)"><tt class="xref py py-mod docutils literal"><span class="pre">pickle</span></tt></a> to serialize session data before storing it in the backend. If you’re using the <a class="reference internal" href="../topics/http/sessions.html#cookie-session-backend"><em>signed cookie session backend</em></a> and <a class="reference internal" href="../ref/settings.html#std:setting-SECRET_KEY"><tt class="xref std std-setting docutils literal"><span class="pre">SECRET_KEY</span></tt></a> is known by an attacker (there isn’t an inherent vulnerability in Django that would cause it to leak), the attacker could insert a string into his session which, when unpickled, executes arbitrary code on the server. The technique for doing so is simple and easily available on the internet. Although the cookie session storage signs the cookie-stored data to prevent tampering, a <a class="reference internal" href="../ref/settings.html#std:setting-SECRET_KEY"><tt class="xref std std-setting docutils literal"><span class="pre">SECRET_KEY</span></tt></a> leak immediately escalates to a remote code execution vulnerability.</p> <p>This attack can be mitigated by serializing session data using JSON rather than <a class="reference external" href="http://docs.python.org/2.7/library/pickle.html#module-pickle" title="(in Python v2.7)"><tt class="xref py py-mod docutils literal"><span class="pre">pickle</span></tt></a>. To facilitate this, Django 1.5.3 introduces a new setting, <a class="reference internal" href="../ref/settings.html#std:setting-SESSION_SERIALIZER"><tt class="xref std std-setting docutils literal"><span class="pre">SESSION_SERIALIZER</span></tt></a>, to customize the session serialization format. For backwards compatibility, this setting defaults to using <a class="reference external" href="http://docs.python.org/2.7/library/pickle.html#module-pickle" title="(in Python v2.7)"><tt class="xref py py-mod docutils literal"><span class="pre">pickle</span></tt></a>. While JSON serialization does not support all Python objects like <a class="reference external" href="http://docs.python.org/2.7/library/pickle.html#module-pickle" title="(in Python v2.7)"><tt class="xref py py-mod docutils literal"><span class="pre">pickle</span></tt></a> does, we highly recommend switching to JSON-serialized values. Also, as JSON requires string keys, you will likely run into problems if you are using non-string keys in <tt class="docutils literal"><span class="pre">request.session</span></tt>. See the <a class="reference internal" href="../topics/http/sessions.html#session-serialization"><em>Session serialization</em></a> documentation for more details.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.5.3 release notes</a><ul> <li><a class="reference internal" href="#directory-traversal-vulnerability-in-ssi-template-tag">Directory traversal vulnerability in <tt class="docutils literal"><span class="pre">ssi</span></tt> template tag</a></li> <li><a class="reference internal" href="#mitigating-a-remote-code-execution-vulnerability-in-django-contrib-sessions">Mitigating a remote-code execution vulnerability in <tt class="docutils literal"><span class="pre">django.contrib.sessions</span></tt></a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.5.4.html">Django 1.5.4 release notes</a></li> <li>Next: <a href="1.5.2.html">Django 1.5.2 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.5.9 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.5.3 release notes</li></ul> </li></ul> </li> </ul> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.5.3.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Jan 15, 2015</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.5.4.html" title="Django 1.5.4 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.5.2.html" title="Django 1.5.2 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>