Cross-posting this <https://groups.google.com/forum/#!topic/django-rest-framework/gwAHf3MjyPs> for the benefit of any Django REST framework users who aren't on the REST framework mailing list...
The 2.3.14 version of REST framework has just been released to PyPI. Most importantly this includes a serious security fix related to the browsable API, and all users are advised to upgrade as soon as possible. When generating the login and logout links on the browsable API the request path is included as part of the URL, allowing the application to redirect back to the original URL after performing the login/logout. The request path here was not being escaped, allowing an attacker to create a link that when clicked by the user would run javascript in the context of the browsable API. This exploit appears to work against the latest version of Firefox, but not against the latest versions of Chrome, Safari and Internet Explorer. In summary: * Users of the current version of firefox, and of some older versions of other browsers may be vulnerable. * The attack requires the user to follow a link that has been generated by the attacker. * The vulnerability requires the browsable API to be enabled, and the user to be authenticated in the browser. Many thanks to the reporter of the issue, Dan Peled (BugSec/CyberSpear). As always if you believe you have found a security issue with REST framework, please raise the issue on the private security mailing list: rest-framework-secur...@googlegroups.com -- You received this message because you are subscribed to the Google Groups "Django users" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscr...@googlegroups.com. To post to this group, send email to django-users@googlegroups.com. Visit this group at http://groups.google.com/group/django-users. To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/537be97f-f491-4e50-ad5a-ac8031937d4b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
