<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Django 1.4.2 release notes — Django 1.11.20 documentation</title>
<link rel="stylesheet" href="../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/language_data.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Django 1.4.1 release notes" href="1.4.1.html" />
<link rel="prev" title="Django 1.4.3 release notes" href="1.4.3.html" />
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
if (!django_template_builtins) {
// templatebuiltins.js missing, do nothing.
return;
}
$(document).ready(function() {
// Hyperlink Django template tags and filters
var base = "../ref/templates/builtins.html";
if (base == "#") {
// Special case for builtins.html itself
base = "";
}
// Tags are keywords, class '.k'
$("div.highlight\\-html\\+django span.k").each(function(i, elem) {
var tagname = $(elem).text();
if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
var fragment = tagname.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
}
});
// Filters are functions, class '.nf'
$("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
var filtername = $(elem).text();
if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
var fragment = filtername.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
}
});
});
})(jQuery);
</script>
</head><body>
<div class="document">
<div id="custom-doc" class="yui-t6">
<div id="hd">
<h1><a href="../index.html">Django 1.11.20 documentation</a></h1>
<div id="global-nav">
<a title="Home page" href="../index.html">Home</a> |
<a title="Table of contents" href="../contents.html">Table of contents</a> |
<a title="Global index" href="../genindex.html">Index</a> |
<a title="Module index" href="../py-modindex.html">Modules</a>
</div>
<div class="nav">
« <a href="1.4.3.html" title="Django 1.4.3 release notes">previous</a>
|
<a href="index.html" title="Release notes" accesskey="U">up</a>
|
<a href="1.4.1.html" title="Django 1.4.1 release notes">next</a> »</div>
</div>
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<div class="yui-g" id="releases-1.4.2">
<div class="section" id="s-django-1-4-2-release-notes">
<span id="django-1-4-2-release-notes"></span><h1>Django 1.4.2 release notes<a class="headerlink" href="#django-1-4-2-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>October 17, 2012</em></p>
<p>This is the second security release in the Django 1.4 series.</p>
<div class="section" id="s-host-header-poisoning">
<span id="host-header-poisoning"></span><h2>Host header poisoning<a class="headerlink" href="#host-header-poisoning" title="Permalink to this headline">¶</a></h2>
<p>Some parts of Django – independent of end-user-written applications – make
use of full URLs, including domain name, which are generated from the HTTP Host
header. Some attacks against this are beyond Django’s ability to control, and
require the web server to be properly configured; Django’s documentation has
for some time contained notes advising users on such configuration.</p>
<p>Django’s own built-in parsing of the Host header is, however, still vulnerable,
as was reported to us recently. The Host header parsing in Django 1.3.3 and
Django 1.4.1 – specifically, <code class="docutils literal notranslate"><span class="pre">django.http.HttpRequest.get_host()</span></code> – was
incorrectly handling username/password information in the header. Thus, for
example, the following Host header would be accepted by Django when running on
“validsite.com”:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">Host</span><span class="p">:</span> <span class="n">validsite</span><span class="o">.</span><span class="n">com</span><span class="p">:</span><span class="n">random</span><span class="nd">@evilsite</span><span class="o">.</span><span class="n">com</span>
</pre></div>
</div>
<p>Using this, an attacker can cause parts of Django – particularly the
password-reset mechanism – to generate and display arbitrary URLs to users.</p>
<p>To remedy this, the parsing in <code class="docutils literal notranslate"><span class="pre">HttpRequest.get_host()</span></code> is being modified;
Host headers which contain potentially dangerous content (such as
username/password pairs) now raise the exception
<a class="reference internal" href="../ref/exceptions.html#django.core.exceptions.SuspiciousOperation" title="django.core.exceptions.SuspiciousOperation"><code class="xref py py-exc docutils literal notranslate"><span class="pre">django.core.exceptions.SuspiciousOperation</span></code></a>.</p>
<p>Details of this issue were initially posted online as a <a class="reference external" href="https://www.djangoproject.com/weblog/2012/oct/17/security/">security advisory</a>.</p>
</div>
<div class="section" id="s-backwards-incompatible-changes">
<span id="backwards-incompatible-changes"></span><h2>Backwards incompatible changes<a class="headerlink" href="#backwards-incompatible-changes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>The newly introduced <a class="reference internal" href="../ref/models/fields.html#django.db.models.GenericIPAddressField" title="django.db.models.GenericIPAddressField"><code class="xref py py-class docutils literal notranslate"><span class="pre">GenericIPAddressField</span></code></a>
constructor arguments have been adapted to match those of all other model
fields. The first two keyword arguments are now verbose_name and name.</li>
</ul>
</div>
<div class="section" id="s-other-bugfixes-and-changes">
<span id="other-bugfixes-and-changes"></span><h2>Other bugfixes and changes<a class="headerlink" href="#other-bugfixes-and-changes" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Subclass HTMLParser only for appropriate Python versions (#18239).</li>
<li>Added batch_size argument to qs.bulk_create() (#17788).</li>
<li>Fixed a small regression in the admin filters where wrongly formatted dates passed as url parameters caused an unhandled ValidationError (#18530).</li>
<li>Fixed an endless loop bug when accessing permissions in templates (#18979)</li>
<li>Fixed some Python 2.5 compatibility issues</li>
<li>Fixed an issue with quoted filenames in Content-Disposition header (#19006)</li>
<li>Made the context option in <code class="docutils literal notranslate"><span class="pre">trans</span></code> and <code class="docutils literal notranslate"><span class="pre">blocktrans</span></code> tags accept literals wrapped in single quotes (#18881).</li>
<li>Numerous documentation improvements and fixes.</li>
</ul>
</div>
</div>
</div>
</div>
</div>
<div class="yui-b" id="sidebar">
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="../contents.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Django 1.4.2 release notes</a><ul>
<li><a class="reference internal" href="#host-header-poisoning">Host header poisoning</a></li>
<li><a class="reference internal" href="#backwards-incompatible-changes">Backwards incompatible changes</a></li>
<li><a class="reference internal" href="#other-bugfixes-and-changes">Other bugfixes and changes</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="1.4.3.html"
title="previous chapter">Django 1.4.3 release notes</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="1.4.1.html"
title="next chapter">Django 1.4.1 release notes</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/releases/1.4.2.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<h3>Last update:</h3>
<p class="topless">Feb 11, 2019</p>
</div>
</div>
<div id="ft">
<div class="nav">
« <a href="1.4.3.html" title="Django 1.4.3 release notes">previous</a>
|
<a href="index.html" title="Release notes" accesskey="U">up</a>
|
<a href="1.4.1.html" title="Django 1.4.1 release notes">next</a> »</div>
</div>
</div>
<div class="clearer"></div>
</div>
</body>
</html>
