/docs/releases/1.1.4.txt

https://code.google.com/p/mango-py/ · Plain Text · 68 lines · 51 code · 17 blank · 0 comment · 0 complexity · 09926718e21de2c5765cd837031f82e4 MD5 · raw file 

    

  1. ==========================
    2. 

  2. Django 1.1.4 release notes
    3. 

  3. ==========================
    4. 

  4. 

  5. Welcome to Django 1.1.4!
    6. 

  6. 

  7. This is the fourth "bugfix" release in the Django 1.1 series,
    8. 

  8. improving the stability and performance of the Django 1.1 codebase.
    9. 

  9. 

  10. With one exception, Django 1.1.4 maintains backwards compatibility
    11. 

  11. with Django 1.1.3. It also contains a number of fixes and other
    12. 

  12. improvements. Django 1.1.4 is a recommended upgrade for any
    13. 

  13. development or deployment currently using or targeting Django 1.1.
    14. 

  14. 

  15. For full details on the new features, backwards incompatibilities, and
    16. 

  16. deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
    17. 

  17. 

  18. Backwards incompatible changes
    19. 

  19. ==============================
    20. 

  20. 

  21. CSRF exception for AJAX requests
    22. 

  22. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    23. 

  23. 

  24. Django includes a CSRF-protection mechanism, which makes use of a
    25. 

  25. token inserted into outgoing forms. Middleware then checks for the
    26. 

  26. token's presence on form submission, and validates it.
    27. 

    28. 

  28. Prior to Django 1.2.5, our CSRF protection made an exception for AJAX
    29. 

  29. requests, on the following basis:
    30. 

  30. 

  31.     * Many AJAX toolkits add an X-Requested-With header when using
    32. 

  32.       XMLHttpRequest.
    33. 

  33. 

  34.     * Browsers have strict same-origin policies regarding
    35. 

  35.       XMLHttpRequest.
    36. 

  36. 

  37.     * In the context of a browser, the only way that a custom header
    38. 

  38.       of this nature can be added is with XMLHttpRequest.
    39. 

  39. 

  40. Therefore, for ease of use, we did not apply CSRF checks to requests
    41. 

  41. that appeared to be AJAX on the basis of the X-Requested-With header.
    42. 

  42. The Ruby on Rails web framework had a similar exemption.
    43. 

  43. 

  44. Recently, engineers at Google made members of the Ruby on Rails
    45. 

  45. development team aware of a combination of browser plugins and
    46. 

  46. redirects which can allow an attacker to provide custom HTTP headers
    47. 

  47. on a request to any website. This can allow a forged request to appear
    48. 

  48. to be an AJAX request, thereby defeating CSRF protection which trusts
    49. 

  49. the same-origin nature of AJAX requests.
    50. 

  50. 

  51. Michael Koziarski of the Rails team brought this to our attention, and
    52. 

  52. we were able to produce a proof-of-concept demonstrating the same
    53. 

  53. vulnerability in Django's CSRF handling.
    54. 

    55. 

  55. To remedy this, Django will now apply full CSRF validation to all
    56. 

  56. requests, regardless of apparent AJAX origin. This is technically
    57. 

  57. backwards-incompatible, but the security risks have been judged to
    58. 

  58. outweigh the compatibility concerns in this case.
    59. 

  59. 

  60. Additionally, Django will now accept the CSRF token in the custom HTTP
    61. 

  61. header X-CSRFTOKEN, as well as in the form submission itself, for ease
    62. 

  62. of use with popular JavaScript toolkits which allow insertion of
    63. 

  63. custom headers into all AJAX requests.
    64. 

  64. 

  65. Please see the :ref:`CSRF docs for example jQuery code <csrf-ajax>`
    66. 

  66. that demonstrates this technique, ensuring that you are looking at the
    67. 

  67. documentation for your version of Django, as the exact code necessary
    68. 

  68. is different for some older versions of Django.
    69.