<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.4.11 release notes — Django 1.5.9 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.5.9', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="top" title="Django 1.5.9 documentation" href="../index.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.4.10 release notes" href="1.4.10.html" /> <link rel="prev" title="Django 1.4.12 release notes" href="1.4.12.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.5.9 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.4.12.html" title="Django 1.4.12 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.4.10.html" title="Django 1.4.10 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.4.11"> <div class="section" id="s-django-1-4-11-release-notes"> <span id="django-1-4-11-release-notes"></span><h1>Django 1.4.11 release notes<a class="headerlink" href="#django-1-4-11-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>April 21, 2014</em></p> <p>Django 1.4.11 fixes three security issues in 1.4.10. Additionally, Django’s vendored version of six, <a class="reference internal" href="../topics/python3.html#module-django.utils.six" title="django.utils.six"><tt class="xref py py-mod docutils literal"><span class="pre">django.utils.six</span></tt></a>, has been upgraded to the latest release (1.6.1).</p> <div class="section" id="s-unexpected-code-execution-using-reverse"> <span id="unexpected-code-execution-using-reverse"></span><h2>Unexpected code execution using <tt class="docutils literal"><span class="pre">reverse()</span></tt><a class="headerlink" href="#unexpected-code-execution-using-reverse" title="Permalink to this headline">¶</a></h2> <p>Django’s URL handling is based on a mapping of regex patterns (representing the URLs) to callable views, and Django’s own processing consists of matching a requested URL against those patterns to determine the appropriate view to invoke.</p> <p>Django also provides a convenience function – <a class="reference internal" href="../ref/urlresolvers.html#django.core.urlresolvers.reverse" title="django.core.urlresolvers.reverse"><tt class="xref py py-func docutils literal"><span class="pre">reverse()</span></tt></a> – which performs this process in the opposite direction. The <tt class="docutils literal"><span class="pre">reverse()</span></tt> function takes information about a view and returns a URL which would invoke that view. Use of <tt class="docutils literal"><span class="pre">reverse()</span></tt> is encouraged for application developers, as the output of <tt class="docutils literal"><span class="pre">reverse()</span></tt> is always based on the current URL patterns, meaning developers do not need to change other code when making changes to URLs.</p> <p>One argument signature for <tt class="docutils literal"><span class="pre">reverse()</span></tt> is to pass a dotted Python path to the desired view. In this situation, Django will import the module indicated by that dotted path as part of generating the resulting URL. If such a module has import-time side effects, those side effects will occur.</p> <p>Thus it is possible for an attacker to cause unexpected code execution, given the following conditions:</p> <ol class="arabic simple"> <li>One or more views are present which construct a URL based on user input (commonly, a “next” parameter in a querystring indicating where to redirect upon successful completion of an action).</li> <li>One or more modules are known to an attacker to exist on the server’s Python import path, which perform code execution with side effects on importing.</li> </ol> <p>To remedy this, <tt class="docutils literal"><span class="pre">reverse()</span></tt> will now only accept and import dotted paths based on the view-containing modules listed in the project’s <a class="reference internal" href="../topics/http/urls.html"><em>URL pattern configuration</em></a>, so as to ensure that only modules the developer intended to be imported in this fashion can or will be imported.</p> </div> <div class="section" id="s-caching-of-anonymous-pages-could-reveal-csrf-token"> <span id="caching-of-anonymous-pages-could-reveal-csrf-token"></span><h2>Caching of anonymous pages could reveal CSRF token<a class="headerlink" href="#caching-of-anonymous-pages-could-reveal-csrf-token" title="Permalink to this headline">¶</a></h2> <p>Django includes both a <a class="reference internal" href="../topics/cache.html"><em>caching framework</em></a> and a system for <a class="reference internal" href="../ref/contrib/csrf.html"><em>preventing cross-site request forgery (CSRF) attacks</em></a>. The CSRF-protection system is based on a random nonce sent to the client in a cookie which must be sent by the client on future requests and, in forms, a hidden value which must be submitted back with the form.</p> <p>The caching framework includes an option to cache responses to anonymous (i.e., unauthenticated) clients.</p> <p>When the first anonymous request to a given page is by a client which did not have a CSRF cookie, the cache framework will also cache the CSRF cookie and serve the same nonce to other anonymous clients who do not have a CSRF cookie. This can allow an attacker to obtain a valid CSRF cookie value and perform attacks which bypass the check for the cookie.</p> <p>To remedy this, the caching framework will no longer cache such responses. The heuristic for this will be:</p> <ol class="arabic simple"> <li>If the incoming request did not submit any cookies, and</li> <li>If the response did send one or more cookies, and</li> <li>If the <tt class="docutils literal"><span class="pre">Vary:</span> <span class="pre">Cookie</span></tt> header is set on the response, then the response will not be cached.</li> </ol> </div> <div class="section" id="s-mysql-typecasting"> <span id="mysql-typecasting"></span><h2>MySQL typecasting<a class="headerlink" href="#mysql-typecasting" title="Permalink to this headline">¶</a></h2> <p>The MySQL database is known to “typecast” on certain queries; for example, when querying a table which contains string values, but using a query which filters based on an integer value, MySQL will first silently coerce the strings to integers and return a result based on that.</p> <p>If a query is performed without first converting values to the appropriate type, this can produce unexpected results, similar to what would occur if the query itself had been manipulated.</p> <p>Django’s model field classes are aware of their own types and most such classes perform explicit conversion of query arguments to the correct database-level type before querying. However, three model field classes did not correctly convert their arguments:</p> <ul class="simple"> <li><a class="reference internal" href="../ref/models/fields.html#django.db.models.FilePathField" title="django.db.models.FilePathField"><tt class="xref py py-class docutils literal"><span class="pre">FilePathField</span></tt></a></li> <li><a class="reference internal" href="../ref/models/fields.html#django.db.models.GenericIPAddressField" title="django.db.models.GenericIPAddressField"><tt class="xref py py-class docutils literal"><span class="pre">GenericIPAddressField</span></tt></a></li> <li><a class="reference internal" href="../ref/models/fields.html#django.db.models.IPAddressField" title="django.db.models.IPAddressField"><tt class="xref py py-class docutils literal"><span class="pre">IPAddressField</span></tt></a></li> </ul> <p>These three fields have been updated to convert their arguments to the correct types before querying.</p> <p>Additionally, developers of custom model fields are now warned via documentation to ensure their custom field classes will perform appropriate type conversions, and users of the <tt class="xref py py-meth docutils literal"><span class="pre">raw()</span></tt> and <a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.extra" title="django.db.models.query.QuerySet.extra"><tt class="xref py py-meth docutils literal"><span class="pre">extra()</span></tt></a> query methods – which allow the developer to supply raw SQL or SQL fragments – will be advised to ensure they perform appropriate manual type conversions prior to executing queries.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.4.11 release notes</a><ul> <li><a class="reference internal" href="#unexpected-code-execution-using-reverse">Unexpected code execution using <tt class="docutils literal"><span class="pre">reverse()</span></tt></a></li> <li><a class="reference internal" href="#caching-of-anonymous-pages-could-reveal-csrf-token">Caching of anonymous pages could reveal CSRF token</a></li> <li><a class="reference internal" href="#mysql-typecasting">MySQL typecasting</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.4.12.html">Django 1.4.12 release notes</a></li> <li>Next: <a href="1.4.10.html">Django 1.4.10 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.5.9 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.4.11 release notes</li></ul> </li></ul> </li> </ul> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.4.11.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Aug 21, 2014</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.4.12.html" title="Django 1.4.12 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.4.10.html" title="Django 1.4.10 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>