summaryrefslogtreecommitdiff
path: root/docs/releases
diff options
context:
space:
mode:
authorShai Berger <shai@platonix.com>2015-11-07 18:35:45 +0200
committerShai Berger <shai@platonix.com>2016-05-19 05:02:19 +0300
commit5112e65ef2df1dbb95ff83026b6a962fb2688661 (patch)
tree4a657b0b1ac93e8b269890374caccdf495b45160 /docs/releases
parent6d9c5d46e644a8ef93b0227fc710e09394a03992 (diff)
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved by the `get_token()` method (used also by the `{% csrf_token %}` tag). While at it, made token validation strict: Where, before, any length was accepted and non-ASCII chars were ignored, we now treat anything other than `[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for backwards-compatibility, are accepted and replaced by 64-char ones). Thanks Trac user patrys for reporting, github user adambrenecki for initial patch, Tim Graham for help, and Curtis Maloney, Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne for reviews.
Diffstat (limited to 'docs/releases')
-rw-r--r--docs/releases/1.10.txt12
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt
index 14b23def72..405d7d5715 100644
--- a/docs/releases/1.10.txt
+++ b/docs/releases/1.10.txt
@@ -256,6 +256,12 @@ CSRF
accepts an optional ``template_name`` parameter, defaulting to
``'403_csrf.html'``, to control the template used to render the page.
+* To protect against `BREACH`_ attacks, the CSRF protection mechanism now
+ changes the form token value on every request (while keeping an invariant
+ secret which can be used to validate the different tokens).
+
+.. _BREACH: http://breachattack.com/
+
Database backends
~~~~~~~~~~~~~~~~~
@@ -795,6 +801,12 @@ Miscellaneous
* ``utils.version.get_version()`` returns :pep:`440` compliant release
candidate versions (e.g. '1.10rc1' instead of '1.10c1').
+* CSRF token values are now required to be strings of 64 alphanumerics; values
+ of 32 alphanumerics, as set by older versions of Django by default, are
+ automatically replaced by strings of 64 characters. Other values are
+ considered invalid. This should only affect developers or users who replace
+ these tokens.
+
* The ``LOGOUT_URL`` setting is removed as Django hasn't made use of it
since pre-1.0. If you use it in your project, you can add it to your
project's settings. The default value was ``'/accounts/logout/'``.