Django 1.2.2 release - security update

On September 8, 2010, Django developers released 1.2.2 to close vulnerabilities that could allow cybercriminals to launch XSS attacks. Ironically, the vulnerability to XSS was in the code of the system, which performs protection against another type of attack - CSRF . This system has fundamentally changed in version 1.2 (in previous versions, protection against CSRF was not part of the core of the framework and was just a pluggable layer).

Essence

Protection against CSRF works according to the following principle: a random sequence (token) is generated, which is inserted into the hidden form field and the same sequence is written into a special cookie. When submitting the form, the values ​​of the hidden field and cookie are compared and, if these values ​​coincide, it is believed that the form was completed by a reliable user.

Now about the vulnerability itself: as it turned out, the template tag {% csrf_token %}used to insert the hidden field HTML code into the form code unconditionally trusts the value of the token and inserts it without escaping . The value of the token is taken from the cookie. Thus, an attacker could potentially fake a cookie and inject HTML code into its value, thereby embedding it on the page.

Vulnerable versions

• Current trunk version
• Django 1.2.x

Versions prior to 1.2 are not susceptible to comprehensibility.

Solution

Developers offer all users of branch 1.2 to immediately upgrade to 1.2.2 and note that they did not give advance notifications.

You can manually apply the patch or see diff in order to better understand the essence of the vulnerability.

see also

• Security release issued - the original text of the release (in fact, this topic is its very free translation)
• Cross Site Request Forgery (CSRF)
• Cross Site Scripting (XSS)

PS it is strange that for almost a day they did not pay much attention to the news, although some reacted promptly