0
0
mirror of https://github.com/django/django.git synced 2024-11-30 07:06:18 +01:00
django/docs/releases/1.4.22.txt
Tim Graham 8cc41ce7a7 Fixed DoS possiblity in contrib.auth.views.logout()
Thanks Florian Apolloner and Carl Meyer for review.

This is a security fix.
2015-08-18 08:03:43 -04:00

30 lines
1.3 KiB
Plaintext

===========================
Django 1.4.22 release notes
===========================
*August 18, 2015*
Django 1.4.22 fixes a security issue in 1.4.21.
It also fixes support with pip 7+ by disabling wheel support. Older versions
of 1.4 would silently build a broken wheel when installed with those versions
of pip.
Denial-of-service possibility in ``logout()`` view by filling session store
===========================================================================
Previously, a session could be created when anonymously accessing the
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
with :func:`~django.contrib.auth.decorators.login_required` as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
modified to no longer create empty session records.
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
a new empty session. Maintainers of third-party session backends should check
if the same vulnerability is present in their backend and correct it if so.