CVS commit: pkgsrc/www/py-django

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/py-django
From: Adam Ciarcinski <adam%netbsd.org@localhost>
Date: Thu, 9 Sep 2010 13:34:05 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Thu Sep  9 13:34:05 UTC 2010

Modified Files:
        pkgsrc/www/py-django: Makefile PLIST distinfo

Log Message:
Changes 1.2.2:
As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/py-django/PLIST
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Prev by Date: CVS commit: pkgsrc/sysutils/radmind
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/sysutils/radmind
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index