April 4, 2017
Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final release of the 1.9.x series.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login() and i18n)
to redirect the user to an “on success” URL. The security check for these
django.utils.http.is_safe_url()) considered some numeric
http:999999999) “safe” when they shouldn’t be.
Also, if a developer relies on
is_safe_url() to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.
A maliciously crafted URL to a Django site using the
serve() view could redirect to any other domain. The
view no longer does any redirects as they don’t provide any known, useful
Note, however, that this view has always carried a warning that it is not hardened for production use and should be used only as a development aid.
Fixed a regression in the
timeuntil filters that caused
incorrect results for dates in a leap year (#27637).