MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
Date: Thu, 9 Sep 2010 13:34:05 +0000
From: Adam Ciarcinski <adam@netbsd.org>
Subject: CVS commit: pkgsrc/www/py-django
To: pkgsrc-changes@NetBSD.org
Reply-To: adam@netbsd.org
Message-Id: <20100909133405.47E58175DD@cvs.netbsd.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: list

Module Name:	pkgsrc
Committed By:	adam
Date:		Thu Sep  9 13:34:05 UTC 2010

Modified Files:
	pkgsrc/www/py-django: Makefile PLIST distinfo

Log Message:
Changes 1.2.2:
As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.

The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.

The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.

This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 pkgsrc/www/py-django/Makefile
cvs rdiff -u -r1.16 -r1.17 pkgsrc/www/py-django/PLIST
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/py-django/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.