Django 1.9.11 release notes
Django 1.9.11 fixes two security issues in 1.9.10.
This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb
option or if the user has an active session (such as an attacker’s connection).
DNS rebinding vulnerability when DEBUG=True
Older versions of Django don’t validate the header against settings.ALLOWED_HOSTS
when settings.DEBUG=True
. This makes them vulnerable to a .
is now validated regardless of DEBUG
. For convenience, if ALLOWED_HOSTS
is empty and DEBUG=True
, the following variations of localhost are allowed . If your local settings file has your production ALLOWED_HOSTS
value, you must now omit it to get those fallback values.