NewsDjango 1.2 Cross-site Scripting Bug Quashed

Django 1.2 Cross-site Scripting Bug Quashed

Developer.com content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

All users of open source Python-based Web framework Django 1.2 are urged to upgrade to version 1.2.3 immediately.

Older versions of Django are unaffected.

A significant security bug was found and fixed in 1.2.2 involving cookies and cross-site scripting attacks. Here’s how the announcement described it.

“As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms — {% csrf_token %} — explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.”

But before you upgrade to 1.2.2, the most current release is now 1.2.3, go with that one instead. The 1.2.2 security fix release broke some forms and the packaging manifest was incomplete. You can download it here.

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories