August 13, 2013
Django 1.4.6 fixes one security issue present in previous Django releases in the 1.4 series, as well as one other bug.
This is the sixth bugfix/security release in the Django 1.4 series.
Django relies on user input in some cases (e.g.
i18n) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
django.utils.http.is_safe_url()) didn't check if the scheme is
and as such allowed
is_safe_url() to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the
override_settings()decorator. If you hit an
AttributeError: 'Settings' object has no attribute '_original_allowed_hosts'exception, it's probably fixed (#20636).