[ANNOUNCE] Security releases (Django 1.3.5, Django 1.4.3, Django 1.5 beta 2)

[James Bennett]

Django 1.3.5, Django 1.4.3 and Django 1.5 beta 2 have just been issued
in response to security issues.

Details are available here:

https://www.djangoproject.com/weblog/2012/dec/10/security/

[Yo-Yo Ma]

There aren't yet Git tags for the releases.

[Jacob Kaplan-Moss]

Yeah, we know -- we usually wait a bit (24 hours, give or take) before we tag them. Thanks for the spot.

Jacob

On Mon, Dec 10, 2012 at 11:09 PM, Yo-Yo Ma <baxters...@gmail.com> wrote:

There aren't yet Git tags for the releases.

--
You received this message because you are subscribed to the Google Groups "Django developers" group.

To view this discussion on the web visit https://groups.google.com/d/msg/django-developers/-/ipPpizg3flcJ.

To post to this group, send email to django-d...@googlegroups.com.
To unsubscribe from this group, send email to django-develop...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.

[Tom Evans]

Is the second part of the fix in any way optional? For instance, one
of my sites is a SAML/SSO identity provider - people log into it in
order to be granted access to other sites in the federation, and it is
routine for the "next" parameter during authentication to refer to any
site in the federation, not just the local domain.

Cheers

Tom

[Florian Apolloner]

Hi,

On Tuesday, December 11, 2012 11:31:17 AM UTC+1, Tom Evans wrote:

Is the second part of the fix in any way optional?

Nope, there is no way to disable that behavior currently.

Cheers,
Florian

[Yo-Yo Ma]

Tom,

Create a view that accepts a "uri" argument and returns a 302 to the provided URI. Then, update your redirect_to callable to urlencode the URI and send them to /your/redirect/view/?uri=[encoded URI] and problem solved.