pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/www/py-django
Module Name: pkgsrc
Committed By: adam
Date: Thu Sep 9 13:34:05 UTC 2010
Modified Files:
pkgsrc/www/py-django: Makefile PLIST distinfo
Log Message:
Changes 1.2.2:
As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.
The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.
The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.
This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.
To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/py-django/PLIST
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/py-django/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Home |
Main Index |
Thread Index |
Old Index