September 2, 2014
Hot Topics:
RSS RSS feed Download our iPhone app

Django 1.2 Cross-site Scripting Bug Quashed

  • September 13, 2010
  • By Developer.com Staff

All users of open source Python-based Web framework Django 1.2 are urged to upgrade to version 1.2.3 immediately.

Older versions of Django are unaffected.

A significant security bug was found and fixed in 1.2.2 involving cookies and cross-site scripting attacks. Here's how the announcement described it.

"As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks."

But before you upgrade to 1.2.2, the most current release is now 1.2.3, go with that one instead. The 1.2.2 security fix release broke some forms and the packaging manifest was incomplete. You can download it here.


View Article



Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Sitemap | Contact Us

Rocket Fuel