Closed Bug 820042 Opened 12 years ago Closed 12 years ago

Upcoming Django Security Release (1.3.5)

Categories

(support.mozilla.org :: General, defect)

Product:
support.mozilla.org
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jsocol, Assigned: willkg)

Details

Attachments

(2 files)

host poisoning 1.3
2.47 KB, patch
Details | Diff | Splinter Review
unsafe redirects 1.3
17.67 KB, patch
Details | Diff | Splinter Review
There is a Django security release expected sometime today. We should apply these patches locally, test and see if any changes are necessary to kitsune. If so, those changes should be attached as a patch to this bug and reviewed, *NOT* pushed to github. Once the release is public, we should push and deploy an update quickly. Below is the original security pre-notification: ============= In accordance with that policy, on Monday, December 10, 2012, the Django project will be issuing a set of releases to remedy security issue[s] reported to us. This message contains a description of the issue, a description of the changes which will be made to Django, and the patches which will be applied to Django. Please be aware that this security release is slightly different from previous ones, in that both issues have been dealt with, to a greater or lesser extent, by prior security updates to Django. However, we have received ongoing reports of problems -- some due to issues in Django itself, some due to patterns in third-party applications encouraged by Django's architecture -- which have led us to take additional steps in both of the areas described below. Due to the potential impact, we are making use of our security release process rather than simply bundling the following fixes into a normal Django bugfix release. Host header poisoning ===================== Several earlier Django security releases focused on the issue of poisoning the HTTP Host header, causing Django to generate URLs pointing to arbitrary, potentially-malicious domains. In response to further input received following the previous release, we're taking additional steps to tighten Host header validation. Rather than attempt to accommodate all features HTTP supports here, Django's Host header validation attempts to support a smaller, but far more common, subset: * Hostnames must consist of characters [A-Fa-f0-9] plus hyphen ('-') or dot ('.'). * IP addresses -- both IPv4 and IPv6 -- are permitted. * Port, if specified, is numeric. Any deviation from this will now be rejected, raising the exception ``django.core.exceptions.SuspiciousOperation``. Redirect poisoning ================== Also following up on a previous issue: in July of this year, we made changes to Django's HTTP redirect classes, performing additional validation of the scheme of the URL to redirect to (since, both within Django's own supplied applications and many third-party applications, accepting a user-supplied redirect target is a common pattern). Similar to the Host-header issue, we are taking steps to provide tighter validation in response to reported problems (primarily with third-party applications, but to a certain extent also within Django itself). This comes in two parts: 1. A new utility function, ``django.utils.http.is_safe_url``, is added; this function takes a URL and a hostname, and checks that the URL is either relative, or if absolute matches the supplied hostname. This function is intended for use whenever user-supplied redirect targets are accepted, to ensure that such redirects cannot lead to arbitrary third-party sites. 2. All of Django's own built-in views -- primarily in the authentication system -- which allow user-supplied redirect targets now use ``is_safe_url`` to validate the supplied URL. Affected versions ================= The issues resulting in this security release are present in the following versions of Django: * Django development master branch (officially, 1.6-pre-alpha at this time). * Django 1.5 prerelease branch (source of the 1.5 alpha and beta releases). * Django 1.4. * Django 1.3. Resolution ========== Included with this email are patches implementing the changes described above, for each affected version of Django. These patches will be applied to the Django development repository on Monday, December 10, 2012, and the following releases will be issued along with disclosure of the reasons for these changes: * Django 1.5 beta 2 * Django 1.4.3 * Django 1.3.5 As Django's master development branch is currently in a pre-alpha state, and the 1.5 branch is in a beta state, users are strongly advised not to be running production deployments from them; the disclosure announcement will nonetheless include a reminder of this and encourage any such users to update their checkouts immediately.
This release is now public. Let's try to get the update onto prod. https://www.djangoproject.com/weblog/2012/dec/10/security/
Grabbing this one.
Assignee: nobody → willkg
Pushed to master in https://github.com/mozilla/kitsune/commit/97481f6e9334aba4bf2c5695687b70d599f249cc and DEPLOYED!
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: