<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.8.16 release notes — Django 1.8.19 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.8.19', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="top" title="Django 1.8.19 documentation" href="../contents.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.8.15 release notes" href="1.8.15.html" /> <link rel="prev" title="Django 1.8.17 release notes" href="1.8.17.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body role="document"> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.8.19 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.8.17.html" title="Django 1.8.17 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.8.15.html" title="Django 1.8.15 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.8.16"> <div class="section" id="s-django-1-8-16-release-notes"> <span id="django-1-8-16-release-notes"></span><h1>Django 1.8.16 release notes<a class="headerlink" href="#django-1-8-16-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>November 1, 2016</em></p> <p>Django 1.8.16 fixes two security issues in 1.8.15.</p> <div class="section" id="s-user-with-hardcoded-password-created-when-running-tests-on-oracle"> <span id="user-with-hardcoded-password-created-when-running-tests-on-oracle"></span><h2>User with hardcoded password created when running tests on Oracle<a class="headerlink" href="#user-with-hardcoded-password-created-when-running-tests-on-oracle" title="Permalink to this headline">¶</a></h2> <p>When running tests with an Oracle database, Django creates a temporary database user. In older versions, if a password isn’t manually specified in the database settings <code class="docutils literal"><span class="pre">TEST</span></code> dictionary, a hardcoded password is used. This could allow an attacker with network access to the database server to connect.</p> <p>This user is usually dropped after the test suite completes, but not when using the <code class="docutils literal"><span class="pre">manage.py</span> <span class="pre">test</span> <span class="pre">--keepdb</span></code> option or if the user has an active session (such as an attacker’s connection).</p> <p>A randomly generated password is now used for each test run.</p> </div> <div class="section" id="s-dns-rebinding-vulnerability-when-debug-true"> <span id="dns-rebinding-vulnerability-when-debug-true"></span><h2>DNS rebinding vulnerability when <code class="docutils literal"><span class="pre">DEBUG=True</span></code><a class="headerlink" href="#dns-rebinding-vulnerability-when-debug-true" title="Permalink to this headline">¶</a></h2> <p>Older versions of Django don’t validate the <code class="docutils literal"><span class="pre">Host</span></code> header against <code class="docutils literal"><span class="pre">settings.ALLOWED_HOSTS</span></code> when <code class="docutils literal"><span class="pre">settings.DEBUG=True</span></code>. This makes them vulnerable to a <a class="reference external" href="http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/">DNS rebinding attack</a>.</p> <p>While Django doesn’t ship a module that allows remote code execution, this is at least a cross-site scripting vector, which could be quite serious if developers load a copy of the production database in development or connect to some production services for which there’s no development instance, for example. If a project uses a package like the <code class="docutils literal"><span class="pre">django-debug-toolbar</span></code>, then the attacker could execute arbitrary SQL, which could be especially bad if the developers connect to the database with a superuser account.</p> <p><code class="docutils literal"><span class="pre">settings.ALLOWED_HOSTS</span></code> is now validated regardless of <code class="docutils literal"><span class="pre">DEBUG</span></code>. For convenience, if <code class="docutils literal"><span class="pre">ALLOWED_HOSTS</span></code> is empty and <code class="docutils literal"><span class="pre">DEBUG=True</span></code>, the following variations of localhost are allowed <code class="docutils literal"><span class="pre">['localhost',</span> <span class="pre">'127.0.0.1',</span> <span class="pre">'::1']</span></code>. If your local settings file has your production <code class="docutils literal"><span class="pre">ALLOWED_HOSTS</span></code> value, you must now omit it to get those fallback values.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.8.16 release notes</a><ul> <li><a class="reference internal" href="#user-with-hardcoded-password-created-when-running-tests-on-oracle">User with hardcoded password created when running tests on Oracle</a></li> <li><a class="reference internal" href="#dns-rebinding-vulnerability-when-debug-true">DNS rebinding vulnerability when <code class="docutils literal"><span class="pre">DEBUG=True</span></code></a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.8.17.html">Django 1.8.17 release notes</a></li> <li>Next: <a href="1.8.15.html">Django 1.8.15 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.8.19 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.8.16 release notes</li></ul> </li></ul> </li> </ul> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.8.16.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <div><input type="text" name="q" /></div> <div><input type="submit" value="Go" /></div> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Mar 10, 2018</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.8.17.html" title="Django 1.8.17 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.8.15.html" title="Django 1.8.15 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>