django/docs/releases/1.4.6.txt

==========================
Django 1.4.6 release notes
==========================

*August 13, 2013*

Django 1.4.6 fixes one security issue present in previous Django releases in
the 1.4 series, as well as one other bug.

This is the sixth bugfix/security release in the Django 1.4 series.

Mitigated possible XSS attack via user-supplied redirect URLs
-------------------------------------------------------------

Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
and as such allowed ``javascript:...`` URLs to be entered. If a developer
relied on ``is_safe_url()`` to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the ``Location`` response
header and browsers seem to ignore JavaScript there.

Bugfixes
========

* Fixed an obscure bug with the :func:`~django.test.override_settings`
  decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
  '_original_allowed_hosts'`` exception, it's probably fixed (#20636).
Added 1.4.6/1.5.2 release notes. 2013-08-14 00:16:30 +08:00			`==========================`
			`Django 1.4.6 release notes`
			`==========================`

			`August 13, 2013`

			`Django 1.4.6 fixes one security issue present in previous Django releases in`
			`the 1.4 series, as well as one other bug.`

			`This is the sixth bugfix/security release in the Django 1.4 series.`

			`Mitigated possible XSS attack via user-supplied redirect URLs`
			`-------------------------------------------------------------`

			`Django relies on user input in some cases (e.g.`
Removed contrib.comments per deprecation timeline. 2014-03-21 19:05:36 +08:00			:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
Added 1.4.6/1.5.2 release notes. 2013-08-14 00:16:30 +08:00			:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
			`The security checks for these redirects (namely`
			``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
			and as such allowed ``javascript:...`` URLs to be entered. If a developer
			relied on ``is_safe_url()`` to provide safe redirect targets and put such a
Removed gender-based pronouns per [c0a2daad78]. 2013-11-30 21:37:15 +08:00			`URL into a link, they could suffer from a XSS attack. This bug doesn't affect`
Added 1.4.6/1.5.2 release notes. 2013-08-14 00:16:30 +08:00			Django currently, since we only put this URL into the ``Location`` response
			`header and browsers seem to ignore JavaScript there.`

			`Bugfixes`
			`========`

Fixed #19885 -- cleaned up the django.test namespace * override_settings may now be imported from django.test * removed Approximate from django.test * updated documentation for things importable from django.test Thanks akaariai for the suggestion. 2013-09-09 16:59:47 +08:00			* Fixed an obscure bug with the :func:`~django.test.override_settings`
Added 1.4.6/1.5.2 release notes. 2013-08-14 00:16:30 +08:00			decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
			'_original_allowed_hosts'`` exception, it's probably fixed (#20636).