Django 1.4.6 and 1.5.2 were released to correct the following security flaw:
A common pattern in Django applications is for a view to accept, via querystring parameter, a URL to redirect to upon successful completion of the view's processing. This pattern is used in code bundled with Django itself; for example, the login view in django.contrib.auth.views, which accepts such a parameter to determine where to send a user following successful login.
A utility function -- django.utils.http.is_safe_url() -- is provided and used to validate that this URL is on the current host (either via fully-qualified or relative URL), so as to avoid potentially dangerous redirects from maliciously-constructed querystrings.
The is_safe_url() function works as intended for HTTP and HTTPS URLs, but due to the manner in which it parses the URL, will permit redirects to other schemes, such as javascript:. While the Django project is unaware of any demonstrated ability to perform cross-site scripting attacks via this mechanism, the potential for such is sufficient to trigger a security response.
To remedy this issue, the is_safe_url() function has been modified to properly recognize and reject URLs which specify a scheme other than HTTP or HTTPS.
The upstream patches are here:
https://github.com/django/django/commit/1a274ccd6bc1afbdac80344c9b6e5810c1162b5f (1.5)
https://github.com/django/django/commit/ec67af0bd609c412b76eaa4cc89968a2a8e5ad6a (1.4)
External References:
https://www.djangoproject.com/weblog/2013/aug/13/security-releases-issued/