
Django security releases issued: 3.0.1, 2.2.9, and 1.11.27 - KyeRussell
https://www.djangoproject.com/weblog/2019/dec/18/security-releases/
======
samwillis
This the same as the unicode email collision that was found in GitHub the
other day:

[https://news.ycombinator.com/item?id=21809390](https://news.ycombinator.com/item?id=21809390)

[https://eng.getwisdom.io/hacking-github-with-unicode-
dotless...](https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/)

It makes you wander how wide spread this vulnerability could be with two
independent implementations found so far. I’m guessing this was found when
someone audited the Django email comparison code after reading about the
GutHub one.

Everyone who maintains a password reset form should be auditing for the same
issue ASAP.

~~~
KyeRussell
Yep, and goes to show that the intricacies of character encoding need to be
more well-understood by developers, instead of the incredibly small subset of
Unicode Wizards leading the way and everyone else (me included) barely keeping
up.

Naturally, the top-rated comment in the thread you linked makes a much better
point than I ever could!

------
KyeRussell
django-allauth also affected: [https://github.com/pennersr/django-
allauth/issues/2413](https://github.com/pennersr/django-allauth/issues/2413)

