Security release issued

Today the Django team is issuing a new release -- Django 1.2.2 -- to remedy a security issue reported to us. This issue was disclosed independently by two different parties, and all users of Django 1.2 are urged to upgrade immediately.

Description of issue

As of the 1.2 release, the core Django framework includes a system, enabled by default, for detecting and preventing cross-site request forgery (CSRF) attacks against Django-powered applications. Previous Django releases provided a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random token, inserted as a hidden field in outgoing forms. The same value is also set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac instance; while being triaged it was then independently reported, with broader description, by Jeff Balogh of Mozilla.

Affected versions

Django development trunk

Django 1.2

Because the current CSRF-protection system is new as of Django 1.2, older releases are unaffected.

Resolution

Patches have been applied to Django trunk and to the 1.2 release branch to ensure the cookie value is never trusted and is always escaped. Future Django releases may migrate away from the use of a dedicated cookie to avoid the possibility of such issues.

Patches may be obtained directly from the appropriate changesets:

The following release has been issued:

Django 1.2.2 (download | checksums)

General notes regarding security

As always, we ask that potential security issues be reported via private email to security@djangoproject.com , and not via Django's Trac instance or the django-developers list.