mirror of
https://github.com/django/django.git
synced 2024-11-18 15:34:16 +00:00
4f313e284e
Per deprecation timeline.
31 lines
1.4 KiB
Plaintext
31 lines
1.4 KiB
Plaintext
===========================
|
|
Django 1.4.22 release notes
|
|
===========================
|
|
|
|
*August 18, 2015*
|
|
|
|
Django 1.4.22 fixes a security issue in 1.4.21.
|
|
|
|
It also fixes support with pip 7+ by disabling wheel support. Older versions
|
|
of 1.4 would silently build a broken wheel when installed with those versions
|
|
of pip.
|
|
|
|
Denial-of-service possibility in ``logout()`` view by filling session store
|
|
===========================================================================
|
|
|
|
Previously, a session could be created when anonymously accessing the
|
|
``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
|
|
with :func:`~django.contrib.auth.decorators.login_required` as done in the
|
|
admin). This could allow an attacker to easily create many new session records
|
|
by sending repeated requests, potentially filling up the session store or
|
|
causing other users' session records to be evicted.
|
|
|
|
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
|
|
modified to no longer create empty session records, including when
|
|
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.
|
|
|
|
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
|
|
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
|
|
a new empty session. Maintainers of third-party session backends should check
|
|
if the same vulnerability is present in their backend and correct it if so.
|