July 8, 2015
Django 1.4.21 fixes several security issues in 1.4.20.
In previous versions of Django, the session backends created a new empty record
in the session storage anytime
request.session was accessed and there was a
session key provided in the request cookies that didn’t already have a session
record. This could allow an attacker to easily create many new session records
simply by sending repeated requests with unknown session keys, potentially
filling up the session store or causing other users’ session records to be
The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.
As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.
Some of Django’s built-in validators
EmailValidator, most seriously) didn’t
prohibit newline characters (due to the usage of
$ instead of
\Z in the
regular expressions). If you use values with newlines in HTTP response or email
headers, you can suffer from header injection attacks. Django itself isn’t
HttpResponse and the mail sending
django.core.mail prohibit newlines in HTTP and SMTP
headers, respectively. While the validators have been fixed in Django, if
you’re creating HTTP responses or email messages in other ways, it’s a good
idea to ensure that those methods prohibit newlines as well. You might also
want to validate that any existing data in your application doesn’t contain
URLValidator and their usage in the
corresponding form fields
URLField are also affected.
The undocumented, internally unused
validate_integer() function is now
stricter as it validates using a regular expression instead of simply casting
the value using
int() and checking if an exception was raised.