Update to Django >=2.0.8 (!878) · Merge requests · thalia / concrexit

Thom Wiggers requested to merge django-security-update into master Aug 01, 2018

New Django Security release.

CVE-2018-14574: Open redirect possibility in CommonMiddleware

If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

Thanks Andreas Hug for reporting this issue.

We're likely affected by this issue.

https://www.djangoproject.com/weblog/2018/aug/01/security-releases/

Update to Django >=2.0.8

Merge request reports