diff options
| author | Aymeric Augustin <aymeric.augustin@m4x.org> | 2014-04-20 16:10:32 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-04-21 18:11:26 -0400 |
| commit | c083e3815aec23b99833da710eea574e6f2e8566 (patch) | |
| tree | 8f5b11d9618ba548ff633037ecca763094838d23 /django | |
| parent | 8b93b31487d6d3b0fcbbd0498991ea0db9088054 (diff) | |
Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly.
Diffstat (limited to 'django')
| -rw-r--r-- | django/middleware/cache.py | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/django/middleware/cache.py b/django/middleware/cache.py index 2db82dd4b5..df33dfce33 100644 --- a/django/middleware/cache.py +++ b/django/middleware/cache.py @@ -45,7 +45,8 @@ More details about how the caching works: from django.conf import settings from django.core.cache import caches, DEFAULT_CACHE_ALIAS -from django.utils.cache import get_cache_key, learn_cache_key, patch_response_headers, get_max_age +from django.utils.cache import (get_cache_key, get_max_age, has_vary_header, + learn_cache_key, patch_response_headers) class UpdateCacheMiddleware(object): @@ -77,8 +78,15 @@ class UpdateCacheMiddleware(object): if not self._should_update_cache(request, response): # We don't need to update the cache, just return. return response + if response.streaming or response.status_code != 200: return response + + # Don't cache responses that set a user-specific (and maybe security + # sensitive) cookie in response to a cookie-less request. + if not request.COOKIES and response.cookies and has_vary_header(response, 'Cookie'): + return response + # Try to get the timeout from the "max-age" section of the "Cache- # Control" header before reverting to using the default cache_timeout # length. |
