From dd0b487872de4e3ff966da51e3610bac996e44f0 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Fri, 20 Feb 2015 09:20:38 -0500 Subject: [PATCH] Fixed typo in path to is_safe_url() --- docs/releases/1.4.13.txt | 2 +- docs/releases/1.4.18.txt | 2 +- docs/releases/1.4.6.txt | 2 +- docs/releases/1.5.2.txt | 2 +- docs/releases/1.5.8.txt | 2 +- docs/releases/1.6.10.txt | 2 +- docs/releases/1.6.5.txt | 2 +- docs/releases/1.7.3.txt | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/releases/1.4.13.txt b/docs/releases/1.4.13.txt index 978f93580cc..14e5af9a0d1 100644 --- a/docs/releases/1.4.13.txt +++ b/docs/releases/1.4.13.txt @@ -39,7 +39,7 @@ Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these redirects (namely -``django.util.http.is_safe_url()``) did not correctly validate some malformed +``django.utils.http.is_safe_url()``) did not correctly validate some malformed URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers with more liberal URL parsing. diff --git a/docs/releases/1.4.18.txt b/docs/releases/1.4.18.txt index b154d872fa8..418808d6cc6 100644 --- a/docs/releases/1.4.18.txt +++ b/docs/releases/1.4.18.txt @@ -37,7 +37,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these -redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading +redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer diff --git a/docs/releases/1.4.6.txt b/docs/releases/1.4.6.txt index e6ed040c425..9aaecb5241e 100644 --- a/docs/releases/1.4.6.txt +++ b/docs/releases/1.4.6.txt @@ -16,7 +16,7 @@ Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these redirects (namely -``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` +``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` and as such allowed ``javascript:...`` URLs to be entered. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect diff --git a/docs/releases/1.5.2.txt b/docs/releases/1.5.2.txt index 01147951b73..1e6a448948f 100644 --- a/docs/releases/1.5.2.txt +++ b/docs/releases/1.5.2.txt @@ -13,7 +13,7 @@ Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these redirects (namely -``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` +``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` and as such allowed ``javascript:...`` URLs to be entered. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect diff --git a/docs/releases/1.5.8.txt b/docs/releases/1.5.8.txt index 16d3db65cdb..93ad815cec8 100644 --- a/docs/releases/1.5.8.txt +++ b/docs/releases/1.5.8.txt @@ -39,7 +39,7 @@ Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these redirects (namely -``django.util.http.is_safe_url()``) did not correctly validate some malformed +``django.utils.http.is_safe_url()``) did not correctly validate some malformed URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers with more liberal URL parsing. diff --git a/docs/releases/1.6.10.txt b/docs/releases/1.6.10.txt index a559bfc3cd0..e99a8256a7f 100644 --- a/docs/releases/1.6.10.txt +++ b/docs/releases/1.6.10.txt @@ -36,7 +36,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these -redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading +redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer diff --git a/docs/releases/1.6.5.txt b/docs/releases/1.6.5.txt index 4aa727e8c88..cacb522af89 100644 --- a/docs/releases/1.6.5.txt +++ b/docs/releases/1.6.5.txt @@ -39,7 +39,7 @@ Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these redirects (namely -``django.util.http.is_safe_url()``) did not correctly validate some malformed +``django.utils.http.is_safe_url()``) did not correctly validate some malformed URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers with more liberal URL parsing. diff --git a/docs/releases/1.7.3.txt b/docs/releases/1.7.3.txt index 46785bf4a62..2f3c9c7f496 100644 --- a/docs/releases/1.7.3.txt +++ b/docs/releases/1.7.3.txt @@ -36,7 +36,7 @@ Mitigated possible XSS attack via user-supplied redirect URLs Django relies on user input in some cases (e.g. :func:`django.contrib.auth.views.login` and :doc:`i18n `) to redirect the user to an "on success" URL. The security checks for these -redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading +redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer