DjangoÍŶӽñÌì·¢²¼ÁËDjango 1.3.4ºÍ1.4.2Á½¸ö°²È«ÐÞ¸´°æ±¾£¬ÐÞ¸´ÁË֮ǰ°æ±¾Öаüº¬µÄһЩÑÏÖØ°²È«Â©¶´£¬½¨ÒéËùÓÃDjangoÓû§Á¢¼´Éý¼¶¡£
1. Host header ½âÎö©¶´
ÔÚDjango 1.3ºÍ1.4ÖУ¬ÌرðÊÇdjango.http.HttpRequest.get_host()ÖУ¬Óû§Ãû/ÃÜÂëÐÅÏ¢±»´íÎóµØ´¦Àí£¬µ¼ÖÂһЩDjango²¿¼þ£¨ÌرðÊÇÃÜÂëÖØÉè»úÖÆ£©ÏòÓû§Éú³É²¢ÏÔʾÈÎÒâµÄURL¡£
а汾ÖÐÐÞ¸ÄÁËHttpRequest.get_host()ÖеĽâÎö¹¦ÄÜ£¬Èç¹ûHostÍ·Öаüº¬Ç±ÔÚΣÏÕµÄÄÚÈÝ£¨Èç³É¶ÔµÄÓû§Ãû/ÃÜÂ룩ʱ£¬½«Å׳öÒì³£¡£
2. HttpOnly cookieÎĵµÎÊÌâ
Django 1.4ÖУ¬»á»°cookies»áºÍHttpOnly±êÖ¾Ò»Æð±»·¢ËÍ£¬¿ÉÒԾܾø¿Í»§¶Ë½Å±¾·ÃÎÊsession cookie£¬ÕâÑù¿ÉÒÔ·ÀֹһЩXSS¹¥»÷¡£
¾¡¹Ü²»»áÖ±½Óµ¼Ö°²È«ÎÊÌ⣬µ«Óб¨¸æ³Æ£¬Django 1.4Îĵµ´íÎóµØÃèÊöÁËÕâЩÄÚÈÝ£¬²¢Éù³ÆÏÖÔÚĬÈÏͨ¹ýHttpResponse.set_cookie()·½·¨ÉèÖÃËùÓÐcookies¡£DjangoÎĵµÒѾ¸üУ¬²¢ËµÃ÷Õâ½öÊÊÓÃÓڻỰcookie¡£
ÊÜÓ°ÏìµÄ°æ±¾
Django 1.3·ÖÖ§ËùÓа汾£¨Ö»´æÔÚHost header½âÎö©¶´£©
Django 1.4·ÖÖ§ËùÓа汾
Django Ö÷¿ª·¢·ÖÖ§
ÏêϸÐÅÏ¢£ºhttps://www.djangoproject.com/weblog/2012/oct/17/security/
ÏÂÔØ£º
https://www.djangoproject.com/download/1.4.2/tarball/
https://www.djangoproject.com/download/1.3.4/tarball/
À´×Ô:¿ªÔ´ÖйúÉçÇø
