<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.3.4 release notes — Django 1.5.9 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.5.9', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="top" title="Django 1.5.9 documentation" href="../index.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.3.3 release notes" href="1.3.3.html" /> <link rel="prev" title="Django 1.3.5 release notes" href="1.3.5.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.5.9 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.3.5.html" title="Django 1.3.5 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.3.3.html" title="Django 1.3.3 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.3.4"> <div class="section" id="s-django-1-3-4-release-notes"> <span id="django-1-3-4-release-notes"></span><h1>Django 1.3.4 release notes<a class="headerlink" href="#django-1-3-4-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>October 17, 2012</em></p> <p>This is the fourth release in the Django 1.3 series.</p> <div class="section" id="s-host-header-poisoning"> <span id="host-header-poisoning"></span><h2>Host header poisoning<a class="headerlink" href="#host-header-poisoning" title="Permalink to this headline">¶</a></h2> <p>Some parts of Django – independent of end-user-written applications – make use of full URLs, including domain name, which are generated from the HTTP Host header. Some attacks against this are beyond Django’s ability to control, and require the web server to be properly configured; Django’s documentation has for some time contained notes advising users on such configuration.</p> <p>Django’s own built-in parsing of the Host header is, however, still vulnerable, as was reported to us recently. The Host header parsing in Django 1.3.3 and Django 1.4.1 – specifically, <tt class="docutils literal"><span class="pre">django.http.HttpRequest.get_host()</span></tt> – was incorrectly handling username/password information in the header. Thus, for example, the following Host header would be accepted by Django when running on “validsite.com”:</p> <div class="highlight-python"><pre>Host: validsite.com:random@evilsite.com</pre> </div> <p>Using this, an attacker can cause parts of Django – particularly the password-reset mechanism – to generate and display arbitrary URLs to users.</p> <p>To remedy this, the parsing in <tt class="docutils literal"><span class="pre">HttpRequest.get_host()</span></tt> is being modified; Host headers which contain potentially dangerous content (such as username/password pairs) now raise the exception <a class="reference internal" href="../ref/exceptions.html#django.core.exceptions.SuspiciousOperation" title="django.core.exceptions.SuspiciousOperation"><tt class="xref py py-exc docutils literal"><span class="pre">django.core.exceptions.SuspiciousOperation</span></tt></a>.</p> <p>Details of this issue were initially posted online as a <a class="reference external" href="https://www.djangoproject.com/weblog/2012/oct/17/security/">security advisory</a>.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.3.4 release notes</a><ul> <li><a class="reference internal" href="#host-header-poisoning">Host header poisoning</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.3.5.html">Django 1.3.5 release notes</a></li> <li>Next: <a href="1.3.3.html">Django 1.3.3 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.5.9 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.3.4 release notes</li></ul> </li></ul> </li> </ul> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.3.4.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Mar 19, 2015</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.3.5.html" title="Django 1.3.5 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.3.3.html" title="Django 1.3.3 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>