mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 01:25:32 +00:00
Code Issues 32 Releases Wiki Activity
Files
4c5215ab036aa8fda9cd0148fd034f4d8f7d69d1
django/docs/releases/1.7.10.txt
Tim Graham 4f313e284e Refs #17209 -- Removed login/logout and password reset/change function-based views. 
Per deprecation timeline.
2017-09-22 12:51:17 -04:00

27 lines
1.2 KiB
Plaintext
Raw Blame History

===========================
Django 1.7.10 release notes
===========================
*August 18, 2015*
Django 1.7.10 fixes a security issue in 1.7.9.
Denial-of-service possibility in ``logout()`` view by filling session store
===========================================================================
Previously, a session could be created when anonymously accessing the
``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
with :func:`~django.contrib.auth.decorators.login_required` as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
modified to no longer create empty session records, including when
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
a new empty session. Maintainers of third-party session backends should check
if the same vulnerability is present in their backend and correct it if so.
Reference in New Issue View Git Blame Copy Permalink