mirror of
https://github.com/django/django.git
synced 2024-11-24 02:47:35 +01:00
4f313e284e
Per deprecation timeline.
27 lines
1.2 KiB
Plaintext
27 lines
1.2 KiB
Plaintext
===========================
|
|
Django 1.7.10 release notes
|
|
===========================
|
|
|
|
*August 18, 2015*
|
|
|
|
Django 1.7.10 fixes a security issue in 1.7.9.
|
|
|
|
Denial-of-service possibility in ``logout()`` view by filling session store
|
|
===========================================================================
|
|
|
|
Previously, a session could be created when anonymously accessing the
|
|
``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
|
|
with :func:`~django.contrib.auth.decorators.login_required` as done in the
|
|
admin). This could allow an attacker to easily create many new session records
|
|
by sending repeated requests, potentially filling up the session store or
|
|
causing other users' session records to be evicted.
|
|
|
|
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
|
|
modified to no longer create empty session records, including when
|
|
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.
|
|
|
|
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
|
|
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
|
|
a new empty session. Maintainers of third-party session backends should check
|
|
if the same vulnerability is present in their backend and correct it if so.
|