Context Navigation

← Previous Change
Ticket Comment History
Next Change →

Changes between Initial Version and Version 1 of Ticket #21389, comment 3

Timestamp:: Nov 11, 2013, 6:16:40 AM (11 years ago)
Author:: Bouke Haarsma

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #21389, comment 3

-              initial
+              v1
 > Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update.
+Comparing the set of locales defined in `globalsettings.LANGUAGES` and Pythons' `locale_alias`, there are more locales suffering from this issue:
+{{{
+(
+    ('fy-nl', 'Frisian'),
+    ('ia', 'Interlingua'),
+    ('kk', 'Kazakh'),
+    ('lb', 'Luxembourgish'),
+    ('mn', 'Mongolian'),
+    ('my', 'Burmese'),
+    ('ne', 'Nepali'),
+    ('os', 'Ossetic'),
+    ('sr-latn', 'Serbian Latin'),
+    ('sw', 'Swahili'),
+    ('udm', 'Udmurt'),
+    ('zh-hans', 'Simplified Chinese'),
+    ('zh-hant', 'Traditional Chinese'),
+)
+}}}
+HTTP Accept-Language follow the language tags defined by IANA and are defined as:
+{{{
+ langtag       = language
+                 ["-" script]
+                 ["-" region]
+                 *("-" variant)
+                 *("-" extension)
+                 ["-" privateuse]
+}}}
+According to IANA, there are 8068 languages, 162 scripts, 301 regions and 62 variants. Shipping an inclusive list of all possible language tags is probably overkill.
 So there should be some limitation on which languages can be provided by the user to prevent such an attack, while allowing all possible languages and sublanguages.