The Django project reports the following issue: """ Django relies on user input in some cases (e.g. ``django.contrib.auth.views.login()`` and i18n) to redirect the user to an "on success" URL. The security checks for these redirects (namely ``django.util.http.is_safe_url()``) didn't strip leading whitespace on the tested URL and as such considered URLs like ``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to provide safe redirect targets and put such a URL into a link, they could suffer from a XSS attack. This bug doesn't affect Django currently, since we only put this URL into the ``Location`` response header and browsers seem to ignore JavaScript there. """ This issue is resolved in the upstream versions 1.7.3, 1.6.10, and 1.4.18. Note that Django 1.5 is no longer receiving security updates. Acknowledgements: Red Hat would like to thank the upstream Django project for reporting this issue.
Created attachment 977186 [details] is_safe_url-1.4.x.patch
Created attachment 977187 [details] is_safe_url-1.6.x.patch
Created attachment 977188 [details] is_safe_url-1.7.x.patch
Created attachment 977189 [details] is_safe_url-master.patch
Created python-django tracking bugs for this issue: Affects: fedora-all [bug 1181943] Affects: epel-7 [bug 1181945]
Created python-django14 tracking bugs for this issue: Affects: fedora-20 [bug 1181944]
Created Django14 tracking bugs for this issue: Affects: epel-6 [bug 1181954]
External References: https://www.djangoproject.com/weblog/2015/jan/13/security/
python-django-1.6.10-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
python-django14-1.4.18-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-django-1.6.10-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
all related bzs have been closed already.