mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.11.x] Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve().

Browse Source 
This is a security fix.
This commit is contained in:
Tim Graham
2017-03-14 12:33:15 -04:00
parent 839159b67e
commit 001ff50808
5 changed files with 38 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docs/releases/1.10.7.txt
View File

@@ -6,6 +6,17 @@ Django 1.10.7 release notes
Django 1.10.7 fixes two security issues and a bug in 1.10.6.
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
=============================================================================
A maliciously crafted URL to a Django site using the
:func:`~django.views.static.serve` view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.
Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.
Bugfixes
========

11
docs/releases/1.8.18.txt
View File

@@ -5,3 +5,14 @@ Django 1.8.18 release notes
*April 4, 2017*
Django 1.8.18 fixes two security issues in 1.8.17.
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
=============================================================================
A maliciously crafted URL to a Django site using the
:func:`~django.views.static.serve` view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.
Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.

11
docs/releases/1.9.13.txt
View File

@@ -7,6 +7,17 @@ Django 1.9.13 release notes
Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final
release of the 1.9.x series.
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
=============================================================================
A maliciously crafted URL to a Django site using the
:func:`~django.views.static.serve` view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.
Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.
Bugfixes
========