← Back to branch summary

~ubuntu-branches/ubuntu/saucy/python-django/saucy-updates

« back to all changes in this revision

Viewing changes to docs/releases/1.4.2.txt

  • Committer: Package Import Robot
  • Author(s): Luke Faraone
  • Date: 2013-08-13 16:49:39 UTC
  • mfrom: (1.3.9)
  • mto: This revision was merged to the branch mainline in revision 47.
  • Revision ID: package-import@ubuntu.com-20130813164939-irlkd7hokvcgocfl
Tags: upstream-1.5.2
ImportĀ upstreamĀ versionĀ 1.5.2

Show diffs side-by-side

added added

removed removed

Lines of Context:
docs/releases/1.4.2.txt
17
17
 
18
18
Django's own built-in parsing of the Host header is, however, still vulnerable,
19
19
as was reported to us recently. The Host header parsing in Django 1.3.3 and
20
 
Django 1.4.1 -- specifically, django.http.HttpRequest.get_host() -- was
 
20
Django 1.4.1 -- specifically, ``django.http.HttpRequest.get_host()`` -- was
21
21
incorrectly handling username/password information in the header. Thus, for
22
22
example, the following Host header would be accepted by Django when running on
23
23
"validsite.com"::
27
27
Using this, an attacker can cause parts of Django -- particularly the
28
28
password-reset mechanism -- to generate and display arbitrary URLs to users.
29
29
 
30
 
To remedy this, the parsing in HttpRequest.get_host() is being modified; Host
31
 
headers which contain potentially dangerous content (such as username/password
32
 
pairs) now raise the exception django.core.exceptions.SuspiciousOperation
 
30
To remedy this, the parsing in ``HttpRequest.get_host()`` is being modified;
 
31
Host headers which contain potentially dangerous content (such as
 
32
username/password pairs) now raise the exception
 
33
:exc:`django.core.exceptions.SuspiciousOperation`.
33
34
 
34
35
Details of this issue were initially posted online as a `security advisory`_.
35
36