The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered. Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active. Affected versions * Django development trunk * Django 0.96 * Django 0.95 * Django 0.91
The update to 0.96 removes some (limited to expiration of sessions) functionality, but retains overall backwards compatibility. New tarball is here: http://www.djangoproject.com/download/0.96.3/tarball/ Bump of existing ebuild works.
Python herd, please bump as necessary.
Hello, dev-python/django-0.96.2 and 1.0 already in tree. Thanks Matt! Best regards,
Thanks (fixing whiteboard).