2015-08-07 22:26:40 +00:00
|
|
|
===========================
|
|
|
|
Django 1.7.10 release notes
|
|
|
|
===========================
|
|
|
|
|
|
|
|
*August 18, 2015*
|
|
|
|
|
|
|
|
Django 1.7.10 fixes a security issue in 1.7.9.
|
2015-08-05 20:51:42 +00:00
|
|
|
|
|
|
|
Denial-of-service possibility in ``logout()`` view by filling session store
|
|
|
|
===========================================================================
|
|
|
|
|
|
|
|
Previously, a session could be created when anonymously accessing the
|
|
|
|
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
|
|
|
|
with :func:`~django.contrib.auth.decorators.login_required` as done in the
|
|
|
|
admin). This could allow an attacker to easily create many new session records
|
|
|
|
by sending repeated requests, potentially filling up the session store or
|
|
|
|
causing other users' session records to be evicted.
|
|
|
|
|
|
|
|
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
|
|
|
|
modified to no longer create empty session records.
|
|
|
|
|
|
|
|
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
|
|
|
|
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
|
|
|
|
a new empty session. Maintainers of third-party session backends should check
|
|
|
|
if the same vulnerability is present in their backend and correct it if so.
|