The Django administration application, as a convenience for users whose sessions expire, will attempt to preserve HTTP POST data from an incoming submission while re-authenticating the user, and will -- on successful authentication -- allow the submission to continue without requiring data to be re-entered.
Django developer Simon Willison has presented the Django development team with a proof-of-concept cross-site request forgery (CSRF) which exploits this behavior to perform unrequested deletion/modification of data. This exploit has been tested and verified by the Django team, and succeeds regardless of whether Django's bundled CSRF-protection module is active.
* Django development trunk
* Django 0.96
* Django 0.95
* Django 0.91
The update to 0.96 removes some (limited to expiration of sessions) functionality, but retains overall backwards compatibility.
New tarball is here: http://www.djangoproject.com/download/0.96.3/tarball/
Bump of existing ebuild works.
Python herd, please bump as necessary.
dev-python/django-0.96.2 and 1.0 already in tree. Thanks Matt!
Thanks (fixing whiteboard).