安全问题归档

Django的开发小组坚定地承诺，为报告和公开安全相关问题负责，这在Django的安全问题中列出。

作为承诺的一部分，我们保留了下面的问题的历史列表，这些问题已经被解决和公开。对于每个问题，下面的列表包含日期、简短的描述、CVE 标识符、受影响的版本列表、完整的页面链接以及相应补丁的连接。

有一些重要的附加说明：

• 列出的受影响版本只包含了在漏洞公开时期的Django稳定的安全支持发行版。这意味着，老的版本（安全支持已经过期），以及预发行版本（alpha/beta/RC）在漏洞公开的时期也可能会受影响，但是没有列出。
• Django项目偶尔会发布安全公告，指出潜在的安全问题，可能会由不合理的配置或其他Django本身以外的问题产生。这些公告中有一些收到了CVE；这种情况下，它们会在这里列出来，但是没有任何附加的补丁或者发行版，只有描述、公开信息和CVE。

Issues prior to Django’s security process

一些安全问题在Django具有规范化的安全处理流程之前被修复。对于这些问题，可能不会发布新的发行版，也不会分配CVE。

August 16, 2006 - CVE-2007-0404

CVE-2007-0404: 翻译框架中的文件名验证问题。Full description

Versions affected

• Django 0.90 (patch)
• Django 0.91 (patch)
• Django 0.95 (patch) (released January 21 2007)

January 21, 2007 - CVE-2007-0405

CVE-2007-0405: 已认证用户的可见“缓存”。Full description

Versions affected

• Django 0.95 (patch)

Issues under Django’s security process

所有其它的安全问题都已经在Django安全处理流程下的版本中解决。下面会列出来：

October 26, 2007 - CVE-2007-5712

CVE-2007-5712: 通过任意大尺寸Accept-Language协议头的拒绝服务攻击。Full description

Versions affected

• Django 0.91 (patch)
• Django 0.95 (patch)
• Django 0.96 (patch)

May 14, 2008 - CVE-2008-2302

CVE-2008-2302: 通过admin登录重定向的XSS。Full description

Versions affected

• Django 0.91 (patch)
• Django 0.95 (patch)
• Django 0.96 (patch)

September 2, 2008 - CVE-2008-3909

CVE-2008-3909: 通过在admin登录状态下保存POST数据的CSRF。Full description

Versions affected

• Django 0.91 (patch)
• Django 0.95 (patch)
• Django 0.96 (patch)

July 28, 2009 - CVE-2009-2659

CVE-2009-2659: 开发服务器的媒体处理器上的拒绝服务攻击。Full description

Versions affected

• Django 0.96 (patch)
• Django 1.0 (patch)

October 9, 2009 - CVE-2009-3965

CVE-2009-3965: 通过执行异常正则表达式的拒绝服务攻击。Full description

Versions affected

• Django 1.0 (patch)
• Django 1.1 (patch)

September 8, 2010 - CVE-2010-3082

CVE-2010-3082: 通过不安全cookie值的XSS。Full description

Versions affected

• Django 1.2 (patch)

December 22, 2010 - CVE-2010-4534

CVE-2010-4534: 管理界面上的信息泄露。Full description

Versions affected

• Django 1.1 (patch)
• Django 1.2 (patch)

December 22, 2010 - CVE-2010-4535

CVE-2010-4535: 密码重置机制上的拒绝服务攻击。Full description

Versions affected

• Django 1.1 (patch)
• Django 1.2 (patch)

February 8, 2011 - CVE-2011-0696

CVE-2011-0696: 通过伪造HTTP协议头的XSS。Full description

Versions affected

• Django 1.1 (patch)
• Django 1.2 (patch)

February 8, 2011 - CVE-2011-0697

CVE-2011-0697: 通过未检查的名称或者上传文件的XSS。Full description

Versions affected

• Django 1.1 (patch)
• Django 1.2 (patch)

February 8, 2011 - CVE-2011-0698

CVE-2011-0698: Windows上通过不正确的目录分隔符处理的目录遍历。Full description

Versions affected

• Django 1.1 (patch)
• Django 1.2 (patch)

September 9, 2011 - CVE-2011-4136

CVE-2011-4136:使用memory-cache-backed会话时的会话操纵。Full description

Versions affected

• Django 1.2 (patch)
• Django 1.3 (patch)

September 9, 2011 - CVE-2011-4137

CVE-2011-4137: 通过URLField.verify_exists的拒绝服务攻击。Full description

Versions affected

• Django 1.2 (patch)
• Django 1.3 (patch)

September 9, 2011 - CVE-2011-4138

CVE-2011-4138: 通过URLField.verify_exists的信息泄露/任何请求发布。Full description

Versions affected

• Django 1.2: (patch)
• Django 1.3: (patch)

September 9, 2011 - CVE-2011-4139

CVE-2011-4139: Host协议头缓存污染。 Full description

Versions affected

• Django 1.2 (patch)
• Django 1.3 (patch)

September 9, 2011 - CVE-2011-4140

CVE-2011-4140:通过Host协议头的潜在CSRF威胁。Full description

Versions affected

这个通知只是一个公告，没有任何补丁发布。

• Django 1.2
• Django 1.3

July 30, 2012 - CVE-2012-3442

CVE-2012-3442: 通过验证重定向模式失败的XSS。Full description

Versions affected

• Django 1.3: (patch)
• Django 1.4: (patch)

July 30, 2012 - CVE-2012-3443

CVE-2012-3443: 通过压缩的图像文件的拒绝服务u攻击。Full description

Versions affected

• Django 1.3: (patch)
• Django 1.4: (patch)

July 30, 2012 - CVE-2012-3444

CVE-2012-3444:通过大尺寸图像文件的拒绝服务攻击。Full description

Versions affected

• Django 1.3 (patch)
• Django 1.4 (patch)

October 17, 2012 - CVE-2012-4520

CVE-2012-4520: Host协议头污染。Full description

Versions affected

• Django 1.3 (patch)
• Django 1.4 (patch)

December 10, 2012 - No CVE 1

对Host协议头处理的额外加固。Full description

Versions affected

• Django 1.3 (patch)
• Django 1.4 (patch)

December 10, 2012 - No CVE 2

对重定向验证的额外加固。Full description

Versions affected

• Django 1.3: (patch)
• Django 1.4: (patch)

February 19, 2013 - No CVE

对Host协议头处理的额外加固。Full description

Versions affected

• Django 1.3 (patch)
• Django 1.4 (patch)

February 19, 2013 - CVE-2013-1664/1665

CVE-2013-1664 and CVE-2013-1665: 对Python XML库的基于实体的攻击。Full description

Versions affected

• Django 1.3 (patch)
• Django 1.4 (patch)

February 19, 2013 - CVE-2013-0305

CVE-2013-0305: 通过admin历史记录的信息泄露。Full description

Versions affected

• Django 1.3 (patch)
• Django 1.4 (patch)

February 19, 2013 - CVE-2013-0306

CVE-2013-0306: 通过表单集max_num 的拒绝服务攻击。Full description

Versions affected

• Django 1.3 (patch)
• Django 1.4 (patch)

August 13, 2013 - Awaiting CVE 1

(CVE not yet issued): 通过admin受信任的URLField值的XSS。Full description

Versions affected

• Django 1.5 (patch)

August 13, 2013 - Awaiting CVE 2

(CVE not yet issued):可能的XSS漏洞，通过未验证的URL重定向模式。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)

September 10, 2013 - CVE-2013-4315

CVE-2013-4315 通过ssi模板标签的目录遍历。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)

September 14, 2013 - CVE-2013-1443

CVE-2013-1443: 通过长密码的拒绝服务攻击。Full description

Versions affected

• Django 1.4 (patch and Python compatibility fix)
• Django 1.5 (patch)

April 21, 2014 - CVE-2014-0472

CVE-2014-0472: 使用reverse()的非预期代码执行。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

April 21, 2014 - CVE-2014-0473

CVE-2014-0473: 匿名页面的缓存可能会泄露CSRF标识。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

April 21, 2014 - CVE-2014-0474

CVE-2014-0474: MySQL类型转换产生非预期的查询结果。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

May 18, 2014 - CVE-2014-1418

CVE-2014-1418: 缓存可能允许存储和处理私人数据。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

May 18, 2014 - CVE-2014-3730

CVE-2014-3730: 来源于用户输入的错误格式URL的不正确验证。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

August 20, 2014 - CVE-2014-0480

CVE-2014-0480: reverse() 可能会生成指向其它域名的URL。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

August 20, 2014 - CVE-2014-0481

CVE-2014-0481: 文件上传的拒绝服务攻击。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

August 20, 2014 - CVE-2014-0482

CVE-2014-0482: RemoteUserMiddleware会话劫持。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

August 20, 2014 - CVE-2014-0483

CVE-2014-0483: admin中查询集操作产生的数据泄露。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.5 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

January 13, 2015 - CVE-2015-0219

CVE-2015-0219: 通过下划线或者破折号合并产生的WSGI协议头欺骗。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

January 13, 2015 - CVE-2015-0220

CVE-2015-0220:  通过用户提供的重定向URL的可能的XSS攻击。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

January 13, 2015 - CVE-2015-0221

CVE-2015-0221: django.views.static.serve()上的拒绝服务攻击。Full description

Versions affected

• Django 1.4 (patch)
• Django 1.6 (patch)
• Django 1.7 (patch)

January 13, 2015 - CVE-2015-0222

CVE-2015-0222: 使用ModelMultipleChoiceField的数据库拒绝服务攻击。Full description

Versions affected

• Django 1.6 (patch)
• Django 1.7 (patch)

译者：Django 文档协作翻译小组，原文：Disclosed security issues in Django。

本文以 CC BY-NC-SA 3.0 协议发布，转载请保留作者署名和文章出处。

Django 文档协作翻译小组人手紧缺，有兴趣的朋友可以加入我们，完全公益性质。交流群：467338606。