mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-01-06 08:25:50 +00:00
Code Issues 30 Releases Wiki Activity
66d12d1aba
django/docs/releases/1.4.21.txt
Carl Meyer 66d12d1aba [1.8.x] Fixed #19324 -- Avoided creating a session record when loading the session. 
The session record is now only created if/when the session is modified. This
prevents a potential DoS via creation of many empty session records.

This is a security fix; disclosure to follow shortly.
2015-07-08 15:23:18 -04:00

29 lines
1.2 KiB
Plaintext
Raw Blame History

===========================
Django 1.4.21 release notes
===========================
*July 8, 2015*
Django 1.4.21 fixes several security issues in 1.4.20.
Denial-of-service possibility by filling session store
======================================================
In previous versions of Django, the session backends created a new empty record
in the session storage anytime ``request.session`` was accessed and there was a
session key provided in the request cookies that didn't already have a session
record. This could allow an attacker to easily create many new session records
simply by sending repeated requests with unknown session keys, potentially
filling up the session store or causing other users' session records to be
evicted.
The built-in session backends now create a session record only if the session
is actually modified; empty session records are not created. Thus this
potential DoS is now only possible if the site chooses to expose a
session-modifying view to anonymous users.
As each built-in session backend was fixed separately (rather than a fix in the
core sessions framework), maintainers of third-party session backends should
check whether the same vulnerability is present in their backend and correct
it if so.
Reference in New Issue View Git Blame Copy Permalink