Django 1.2 Cross-site Scripting Bug Quashed

by Developer.com Staff

All users of Django 1.2 are encouraged to upgrade to version 1.2.3 immediately. There's a serious security hole that can allow for cross-site scripting attacks.

All users of open source Python-based Web framework Django 1.2 are urged to upgrade to version 1.2.3 immediately.

Older versions of Django are unaffected.

A significant security bug was found and fixed in 1.2.2 involving cookies and cross-site scripting attacks. Here's how the announcement described it.

"As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks."

But before you upgrade to 1.2.2, the most current release is now 1.2.3, go with that one instead. The 1.2.2 security fix release broke some forms and the packaging manifest was incomplete. You can download it here.

This article was originally published on Monday Sep 13th 2010
Mobile Site | Full Site