mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

[1.6.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.

Browse Source 
This is a security fix. Disclosure following shortly.
This commit is contained in:
Preston Holmes
2014-08-11 12:04:53 -04:00
committed by Tim Graham
parent dd0c3f4ee1
commit 0268b855f9
5 changed files with 65 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/releases/1.4.14.txt
View File

@@ -38,3 +38,12 @@ if a file with the uploaded name already exists.
underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
``RemoteUserMiddleware`` session hijacking
==========================================
When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
requests without an intervening logout could result in the prior user's session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.

9
docs/releases/1.5.9.txt
View File

@@ -38,3 +38,12 @@ if a file with the uploaded name already exists.
underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
``RemoteUserMiddleware`` session hijacking
==========================================
When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
requests without an intervening logout could result in the prior user's session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.

9
docs/releases/1.6.6.txt
View File

@@ -39,6 +39,15 @@ underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
``RemoteUserMiddleware`` session hijacking
==========================================
When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
requests without an intervening logout could result in the prior user's session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.
Bugfixes
========