Release Django 1.2.2 - security update

On September 8, 2010, Django developers released release 1.2.2 to close vulnerabilities that allow attackers to launch XSS attacks. Ironically, the vulnerability to XSS was in the code of the system that performs protection against another type of attack - CSRF . This system has fundamentally changed in version 1.2 (in previous versions, protection against CSRF was not part of the framework framework and was just a plug-in layer).

The essence

Protection against CSRF works according to the following principle: a random sequence (token) is generated, which is inserted into the hidden-form field and the same sequence is written into a special cookie. When submitting the form, the values ​​of the hidden field and the cookie are compared and, if these values ​​match, it is considered that the form was filled in by a valid user.

Now, about the vulnerability itself: as it turned out, the template tag {% csrf_token %} , used to insert the HTML code of the hidden field into the form code, unconditionally trusts the value of the token and inserts it without escaping . The value of the token is taken from the cookie. Thus, an attacker could potentially fake a cookie and embed the HTML code into its value, thereby embedding it into the page.

Vulnerable versions

• Current trunk version
• Django 1.2.x

Versions up to 1.2 are not susceptible.
')

Solution to the problem

The developers offer all users of the 1.2 branch to immediately upgrade to 1.2.2 and note that they did not make advance notifications.

You can manually apply the patch or look diff to better understand the essence of the vulnerability.

see also

• Security release issued - the original text of the release (in fact, this topic is its very free translation)
• Cross-site request forgery (CSRF)
• Cross-site scripting (XSS)

PS It is strange that for almost 24 hours they did not pay much attention to the news, although some responded quickly.