September 26, 2016
Django 1.8.15 fixes a security issue in 1.8.14.
An interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
The parser for request.COOKIES
is simplified to better match the behavior
of browsers and to mitigate this attack. request.COOKIES
may now contain
cookies that are invalid according to RFC 6265 but are possible to set via
document.cookie
.
5月 12, 2023