Bugzilla – Bug 844312
VUL-0: CVE-2013-6044: python-django: xss in is_safe_url function
Last modified: 2013-11-28 12:49:47 UTC
The is_safe_url function in utils/http.py in Django 1.4.x before 1.4.6, 1.5.x
before 1.5.2, and 1.6 before beta 2 treats a URL's scheme as safe even if it is
not HTTP or HTTPS, which might introduce cross-site scripting (XSS) or other
vulnerabilities into Django applications that use this function, as demonstrated
bugbot adjusting priority
Sascha: here are the latest security issues we have.
AFAICT, we have 1.4.8 in the update channel, so we should be safe?
Yes. For Cloud-3 we submitted 1.5.4, which is ok too.