Weblog

October archive

Security fix released

October 26, 2007

Today we're releasing a fix for a security vulnerability discovered in Django's internationalization framework. The complete details are below, but the executive summary is that you should updated to a fixed version of Django immediately.

We are releasing point-releases of all affected Django versions. You can download them at http://www.djangoproject.com/download/. Those tracking trunk development should "svn update" as soon as possible.

Please direct any questions about this release to django-users (http://groups.google.com/group/django-users).

Description of vulnerability

A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory.

Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update.

Affected versions

  • Django trunk prior to revision [6608].
  • Django 0.96
  • Django 0.95 (including 0.95.1)
  • Django 0.91

Resolution

New versions of Django containing this fix have been released today which alter this caching mechanism to store shortened, normalized values and to reject improperly formatted headers.

These versions are called:

  • Django 0.96.1 (replaces Django 0.96)
  • Django 0.95.2 (replaces Django 0.95.1)
  • Django 0.91.1 (replaces Django 0.91.1)

Anyone using a stable Django release should upgrade to one of these point releases immediately. These fixed versions have already been provided to maintainers of Django packages for various OS distributions and should be released shortly.

Anyone tracking Django's trunk development should use Subversion to update to at least revision [6608].

Additionally, these fixes have been committed to the various "bugfixes" branches:

* This post originally failed to mention that the i18n middleware component must be enabled to trigger the bug.

Django roundup: October 7

October 7, 2007

After a short hiatus, the Django Roundups are back! Lets not waste any time and dive in:

  • Django news:
    • The Django Sprint that took place last month looks as if it went off without a hitch. Adrian Holovaty documented on the Google Code Blog the tremendous level of activity that took place over the course of a single weekend: “The sprint was intensely productive, with more than 400 tickets closed in the Django issue-tracking system, 300 new patches/ticket attachments and more than 200 commits to the Django code base. All told, there were more than 2,440 changes, including wiki changes, ticket changes, patch uploads and code check-ins.
    • Simon Willison has published another set of slides in his Advanced Django series. This version is nearly identical to the previous with a new section on newforms.
    • Siddhi Govindaraj has created a second Django tutorial in screencast format. Siddhi’s second video expands on the wiki application from his first video by adding wikkiwords and search capabilities.
  • Projects of note:
    • Django Gigs has launched and serves as a single place to find work as a Django developer, and for employers to find highly-qualified programmers who are proficient with Django.
    • James Bennett has updated his excellent django-registration application to version 0.3. This update adds a more customizable email subject line, configurable form classes, configurable templates, a maintenance script to clean out expired user accounts, expanded documentation, unicode updates, and locale support.
    • Django on Jython work has continued over the past month or so with additional strides made toward total compatibility. Leonardo Soto Muñoz provides a roundup of advancements as of September 13, 2007. Frank Wierzbicki, lead developer of Jython, is also maintaining a document of the current gaps between Django and Jython.
    • What The Form is an extension for Django’s newforms that allows a developer to design how the form will be displayed to the user. Meta attributes like fieldsets and columns can be defined by the developer within their models and can be nested as much as necessary.
    • Björn Kempén has launched a Django-powered BitTorrent tracker he calls Geektorrent.
  • Code snippets and tutorials:
  • New user groups and other miscellaneous news:

If you have any tips, project announcements, or generally interesting Django news, email me at clintecker+djangotips@gmail.com.