Django 的开发团队致力于负责任地报告和披露与安全相关的问题,正如 Django 的安全政策 所概述的那样。
作为该承诺的一部分,我们保留了以下已修复和披露的历史问题清单。对于每个问题,下面的列表包括日期、简要描述、CVE 标识符 (如果适用)、受影响版本的列表、到完整披露的链接以及到适当补丁的链接。
一些重要的注意事项适用于这些信息:
所有的安全问题都已经在 Django 的安全进程的版本下处理。这些版本列举如下。
Potential bypass of validation when uploading multiple files using one form field. Full description
Potential denial-of-service vulnerability in file uploads. Full description
Potential denial-of-service via Accept-Language
headers. Full description
Potential denial-of-service vulnerability in internationalized URLs. Full description
Potential reflected file download vulnerability in FileResponse. Full description
Potential SQL injection via Trunc(kind)
and Extract(lookup_name)
arguments. Full description
Potential SQL injection in QuerySet.annotate()
, aggregate()
, and
extra()
. Full description
Potential SQL injection via QuerySet.explain(**options)
on PostgreSQL.
Full description
Possible XSS via {% debug %}
template tag. Full description
Denial-of-service possibility in file uploads. Full description
Potential directory-traversal via Storage.save()
. Full description
Potential information disclosure in dictsort
template filter. Full
description
Denial-of-service possibility in UserAttributeSimilarityValidator
. Full
description
Potential bypass of an upstream access control based on URL paths. Full description
潜在的 SQL 注入,通过未检验的 QuerySet.order_by()
输入。完整描述
可能通过 admindocs
进行目录遍历。完整描述
由于验证器接受 IPv4 地址中的前导零,因此可能出现不确定的 SSRF、RFI 和 LFI 攻击。完整描述
Header injection possibility since URLValidator
accepted newlines in input
on Python 3.9.5+. Full description
通过上传的文件进行潜在的目录遍历。完整描述
通过上传的文件进行潜在的目录遍历。完整描述
通过 django.utils.http.limited_parse_qsl()
进行的网络缓存中毒。完整描述。
通过 archive.extract()
进行潜在的目录遍历。完整说明
在 Python 3.7+ 上,文件系统缓存的中间层目录的权限升级。完整说明
在 Python 3.7+ 上,中间层目录的权限不正确。完整说明
可能通过管理 ForeignKeyRawIdWidget
进行 XSS。完整说明
通过畸形的 memcached 密钥可能造成数据泄露。完整说明
针对 Oracle 数据库, 通过 GIS 函数和聚合函数中的 tolerance
参数带来的潜在 SQL 注入。完整说明
通过 StringAgg(delimiter)
带来的潜在 SQL 注入。 完整说明
通过密码重置表单带来的潜在账户劫持。完整说明
在 Django 管理中的特权提升。完整说明
在 django.utils.encoding.uri_to_iri()
函数中潜在的内存耗尽。 完整说明
针对 JSONField
/HStoreField
在键和索引查询时带来的潜在 SQL 注入。 完整说明
存在于 strip_tags()
函数的拒绝服务攻击。完整说明
存在于 django.utils.text.Truncator
的拒绝服务攻击。完整说明
通过 HTTPS 连接反向代理的 HTTP 检测不正确。。完整说明
由 AdminURLFieldWidget
生成的 “Current URL” 连接引起的跨站脚本漏洞。完整说明
django.utils.numberformat.format()
中内存耗尽。完整说明
默认 404 页面存在内容欺骗的可能。完整说明
在 CommonMiddleware
中开放重定向的可能性。完整说明
truncatechars_html
和 truncatewords_html
模板过滤器中存在拒绝服务的可能性。完整说明
urlize
和 urlizetrunc
模板过滤器中存在拒绝服务的可能性。完整说明
AuthenticationForm
中的信息泄露。完整说明
在技术 500 调试页面的回溯部分可能存在 XSS。完整说明
django.views.static.service()
中的开放重定向漏洞。完整说明
通过用户提供的数字重定向 URL 打开重定向和可能的 XSS 攻击。完整说明
当 DEBUG=Tr
时,DNS 重绑定漏洞。完整说明
在 Oracle 上运行测试时创建的带有硬编码密码的用户。完整说明
在有 Google Analytics 的网站上绕过 CSRF 保护。完整说明
通过用户提供的包含基本认证的重定向 URL 进行恶意重定向和可能的 XSS 攻击。完整说明
拥有 “变更” 而非 “添加” 权限的用户可以用 “保存为 True” 为 ModelAdmin
创建对象。完整说明
Settings leak possibility in date
template filter. Full description
Denial-of-service possibility in logout()
view by filling session store.
Full description
Denial-of-service possibility in URL validation. Full description
Header injection possibility since validators accept newlines in input. Full description
Denial-of-service possibility by filling session store. Full description
Fixed session flushing in the cached_db backend. Full description
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
Denial-of-service possibility with strip_tags()
. Full description
XSS attack via properties in ModelAdmin.readonly_fields
. Full description
Database denial-of-service with ModelMultipleChoiceField
. Full description
Denial-of-service attack against django.views.static.serve()
. Full
description
Mitigated possible XSS attack via user-supplied redirect URLs. Full description
WSGI header spoofing via underscore/dash conflation. Full description
Data leakage via querystring manipulation in admin. Full description
RemoteUserMiddleware
session hijacking. Full description
File upload denial of service. Full description
reverse()
can generate URLs pointing to other hosts. Full description
Malformed URLs from user input incorrectly validated. Full description
Caches may be allowed to store and serve private data. Full description
MySQL typecasting causes unexpected query results. Full description
Caching of anonymous pages could reveal CSRF token. Full description
Unexpected code execution using reverse()
. Full description
Denial-of-service via large passwords. Full description
Directory-traversal via ssi
template tag. Full description
Possible XSS via unvalidated URL redirect schemes. Full description
XSS via admin trusting URLField
values. Full description
Denial-of-service via formset max_num
bypass. Full description
Information leakage via admin history log. Full description
Entity-based attacks against Python XML libraries. Full description
Additional hardening of Host
header handling. Full description
Additional hardening of redirect validation. Full description
Additional hardening of Host
header handling. Full description
Host
header poisoning. Full description
Denial-of-service via large image files. Full description
Denial-of-service via compressed image files. Full description
XSS via failure to validate redirect scheme. Full description
Potential CSRF via Host
header. Full description
Host
header cache poisoning. Full description
Information leakage/arbitrary request issuance via URLField.verify_exists
.
Full description
Denial-of-service via URLField.verify_exists
. Full description
Session manipulation when using memory-cache-backed session. Full description
Directory-traversal on Windows via incorrect path-separator handling. Full description
XSS via unsanitized names of uploaded files. Full description
CSRF via forged HTTP headers. Full description
Denial-of-service in password-reset mechanism. Full description
界面管理中的信息泄漏`完整描述<https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
XSS通过信任不安全的cookie值。完整描述<https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
在管理员登录时通过保存 POST 数据进行 CSRF。完整说明
通过管理员登录重定向进行 XSS。完整说明
5月 31, 2023