Django has a 0-day security vulnerability. It’s time to upgrade:
Security updates released
Today the Django project is issuing a set of releases to remedy a security issue. This issue was disclosed publicly by a third party on a high-traffic mailing list, and attempts have been made to exploit it against live Django installations; as such, we are bypassing our normal policy for security disclosure and immediately issuing patches and updated releases.
Description of vulnerability
Django’s forms library included field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in this regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effective denial-of-service attack.
Any Django application making use of EmailField or URLField in the following versions is vulnerable:
- Django development trunk
- Django 1.1
- Django 1.0
Django 1.0 Template Development, published by Packt, is a book that focuses on the templates portions of Django. Django is a popular Python web framework. Django models are easy to build but I always found the templates rather hard to understand.
Chapter 1, 2 and 3 gives an overview of how Django views work together. If you’re a developer, you shouldn’t skip that. I found myself understanding the Django MVC architecture better. (I come from a CakePHP background.) The author (Scott Newman) also did a good job introducing custom filters in Chapter 7. It’s something I haven’t explored till I read the book. There is also a chapter dedicated to pagination, also a must read.
The book is 272 pages, not too long. If you’re looking to improve your understanding on templates, this could be a good companion. I should also stress that the book is well organized. You can skip through the chapters and go straight to what you need without missing out much.
A company, Vyper Logix Corp, has released Django 2.0 without the blessings of the Django Software Foundation. According to James Bennett, the software is built on the Django 0.96.2 codebase which includes a critical bug.
Who would have thought opensource projects could be ripped off that blatantly. Django is a registered trademark of the Django Software Foundation, perhaps a warning could be issued. There’s really no point wasting time and resources pursuing this incident.
The man behind Django 2.0 is Ray Horn whose public LinkedIn profile can be viewed here. He owns a patent, a Python blog where he blogs as “Guido Python” and wrote some dubious Python software. (Guido van Rossum, by the way, is the Python’s Benevolent Dictator For Life.)
In the LinkedIn profile, he claims to be:
- Supporting around over 2 million lines of Python codes.
It appears it is not the first time, he did something like this. He has been criticized for taking BlogCFC, rebranding and releasing it for profit.
I am unsure if he did anything wrong here. He probably didn’t as the license might have allowed him to alter the software for commercial purposes so it is attributed back to the author. (I am not expert in software licenses.) But what he did here violates commonsense software ethics because there weren’t significant change from the opensource version. It just start to get me thinking – how to stop such activities. At the end of the day, it’s up to buyers to decide if they are willing to trust the Ray Horn brand or not.
The Django Book is now going second edition. It’s in the writing process and not much has been written yet.
The Django Book is one of the more interesting initiatives where the public can contribute comments to the contents of the book before it is published. It’s a great way to discover errata and fix sections which are ambiguous. Books are usually written be experts and there are times they don’t see the difficulty the same way the readers do. Ultimate, The Django Book is aimed for beginners.
As of now, 3 chapters are written.
- @skeevs Django is cool! #
Oh something to play with for next week. It’s moving closer to 1.0 already. 1.0 should be out on September. (Source: DjangoProject)