Description: Caches may be allowed to store and serve private data (CVE-2014-1418) In certain situations, Django may allow caches to store private data related to a particular session and then serve that data to requests with a different session, or no session at all. This can both lead to information disclosure, and can be a vector for cache poisoning. When using Django sessions, Django will set a Vary: Cookie header to ensure caches do not serve cached data to requests from other sessions. However, older versions of Internet Explorer (most likely only Internet Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server 2003) are unable to handle the Vary header in combination with many content types. Therefore, Django would remove the header if the request was made by Internet Explorer. To remedy this, the special behavior for these older Internet Explorer versions has been removed, and the Vary header is no longer stripped from the response. In addition, modifications to the Cache- Control header for all Internet Explorer requests with a Content- Disposition header, have also been removed as they were found to have similar issues. Origin: backport, https://github.com/django/django/commit/28e23306aa53bbbb8fb87db85f99d970b051026c Author: Salvatore Bonaccorso Last-Update: 2014-05-18 --- --- django/core/handlers/base.py | 2 - django/http/utils.py | 50 ------------------------------------------- 2 files changed, 52 deletions(-) --- a/django/core/handlers/base.py +++ b/django/core/handlers/base.py @@ -10,8 +10,6 @@ class BaseHandler(object): response_fixes = [ http.fix_location_header, http.conditional_content_removal, - http.fix_IE_for_attach, - http.fix_IE_for_vary, ] def __init__(self): --- a/django/http/utils.py +++ b/django/http/utils.py @@ -32,53 +32,3 @@ def conditional_content_removal(request, response.content = '' return response -def fix_IE_for_attach(request, response): - """ - This function will prevent Django from serving a Content-Disposition header - while expecting the browser to cache it (only when the browser is IE). This - leads to IE not allowing the client to download. - """ - if 'MSIE' not in request.META.get('HTTP_USER_AGENT', '').upper(): - return response - - offending_headers = ('no-cache', 'no-store') - if response.has_header('Content-Disposition'): - try: - del response['Pragma'] - except KeyError: - pass - if response.has_header('Cache-Control'): - cache_control_values = [value.strip() for value in - response['Cache-Control'].split(',') - if value.strip().lower() not in offending_headers] - - if not len(cache_control_values): - del response['Cache-Control'] - else: - response['Cache-Control'] = ', '.join(cache_control_values) - - return response - -def fix_IE_for_vary(request, response): - """ - This function will fix the bug reported at - http://support.microsoft.com/kb/824847/en-us?spid=8722&sid=global - by clearing the Vary header whenever the mime-type is not safe - enough for Internet Explorer to handle. Poor thing. - """ - if 'MSIE' not in request.META.get('HTTP_USER_AGENT', '').upper(): - return response - - # These mime-types that are decreed "Vary-safe" for IE: - safe_mime_types = ('text/html', 'text/plain', 'text/sgml') - - # The first part of the Content-Type field will be the MIME type, - # everything after ';', such as character-set, can be ignored. - if response['Content-Type'].split(';')[0] not in safe_mime_types: - try: - del response['Vary'] - except KeyError: - pass - - return response -