January 23, 2021
Hot Topics:

Django 1.2 Cross-site Scripting Bug Quashed

  • By Developer.com Staff

All users of open source Python-based Web framework Django 1.2 are urged to upgrade to version 1.2.3 immediately.

Older versions of Django are unaffected.

A significant security bug was found and fixed in 1.2.2 involving cookies and cross-site scripting attacks. Here's how the announcement described it.

"As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks."

But before you upgrade to 1.2.2, the most current release is now 1.2.3, go with that one instead. The 1.2.2 security fix release broke some forms and the packaging manifest was incomplete. You can download it here.

View Article

This article was originally published on September 13, 2010

Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Thanks for your registration, follow us on our social networks to keep up-to-date