mirror of
				https://github.com/django/django.git
				synced 2025-10-24 22:26:08 +00:00 
			
		
		
		
	Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee for the draft text.
This commit is contained in:
		| @@ -79,6 +79,20 @@ GZip middleware | |||||||
|  |  | ||||||
| .. class:: GZipMiddleware | .. class:: GZipMiddleware | ||||||
|  |  | ||||||
|  | .. warning:: | ||||||
|  |  | ||||||
|  |     Security researchers recently revealed that when compression techniques | ||||||
|  |     (including ``GZipMiddleware``) are used on a website, the site becomes | ||||||
|  |     exposed to a number of possible attacks. These approaches can be used to | ||||||
|  |     compromise, amongst other things, Django's CSRF protection. Before using | ||||||
|  |     ``GZipMiddleware`` on your site, you should consider very carefully whether | ||||||
|  |     you are subject to these attacks. If you're in *any* doubt about whether | ||||||
|  |     you're affected, you should avoid using ``GZipMiddleware``. For more | ||||||
|  |     details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_. | ||||||
|  |  | ||||||
|  |     .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf | ||||||
|  |     .. _breachattack.com: http://breachattack.com | ||||||
|  |  | ||||||
| Compresses content for browsers that understand GZip compression (all modern | Compresses content for browsers that understand GZip compression (all modern | ||||||
| browsers). | browsers). | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1173,7 +1173,10 @@ site's performance: | |||||||
|   and ``Last-Modified`` headers. |   and ``Last-Modified`` headers. | ||||||
|  |  | ||||||
| * :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all | * :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all | ||||||
|   modern browsers, saving bandwidth and transfer time. |   modern browsers, saving bandwidth and transfer time. Be warned, however, | ||||||
|  |   that compression techniques like ``GZipMiddleware`` are subject to attacks. | ||||||
|  |   See the warning in :class:`~django.middleware.gzip.GZipMiddleware` for | ||||||
|  |   details. | ||||||
|  |  | ||||||
| Order of MIDDLEWARE_CLASSES | Order of MIDDLEWARE_CLASSES | ||||||
| =========================== | =========================== | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user