ArchLinux: 201808-1: python-django: open redirect
Summary
If the django.middleware.common.CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.
Resolution
Upgrade to 2.0.8-1.
# pacman -Syu "python-django>=2.0.8-1"
The problem has been fixed upstream in version 2.0.8.
References
https://www.djangoproject.com/weblog/2018/aug/01/security-releases/ https://github.com/django/django/commit/6fffc3c6d420e44f4029d5643f38d00a39b08525 https://security.archlinux.org/CVE-2018-14574
Workaround
Disable the APPEND_SLASH setting.