diff options
| author | Shai Berger <shai@platonix.com> | 2015-11-07 18:35:45 +0200 |
|---|---|---|
| committer | Shai Berger <shai@platonix.com> | 2016-05-19 05:02:19 +0300 |
| commit | 5112e65ef2df1dbb95ff83026b6a962fb2688661 (patch) | |
| tree | 4a657b0b1ac93e8b269890374caccdf495b45160 /docs/releases | |
| parent | 6d9c5d46e644a8ef93b0227fc710e09394a03992 (diff) | |
Fixed #20869 -- made CSRF tokens change every request by salt-encrypting them
Note that the cookie is not changed every request, just the token retrieved
by the `get_token()` method (used also by the `{% csrf_token %}` tag).
While at it, made token validation strict: Where, before, any length was
accepted and non-ASCII chars were ignored, we now treat anything other than
`[A-Za-z0-9]{64}` as invalid (except for 32-char tokens, which, for
backwards-compatibility, are accepted and replaced by 64-char ones).
Thanks Trac user patrys for reporting, github user adambrenecki
for initial patch, Tim Graham for help, and Curtis Maloney,
Collin Anderson, Florian Apolloner, Markus Holtermann & Jon Dufresne
for reviews.
Diffstat (limited to 'docs/releases')
| -rw-r--r-- | docs/releases/1.10.txt | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/docs/releases/1.10.txt b/docs/releases/1.10.txt index 14b23def72..405d7d5715 100644 --- a/docs/releases/1.10.txt +++ b/docs/releases/1.10.txt @@ -256,6 +256,12 @@ CSRF accepts an optional ``template_name`` parameter, defaulting to ``'403_csrf.html'``, to control the template used to render the page. +* To protect against `BREACH`_ attacks, the CSRF protection mechanism now + changes the form token value on every request (while keeping an invariant + secret which can be used to validate the different tokens). + +.. _BREACH: http://breachattack.com/ + Database backends ~~~~~~~~~~~~~~~~~ @@ -795,6 +801,12 @@ Miscellaneous * ``utils.version.get_version()`` returns :pep:`440` compliant release candidate versions (e.g. '1.10rc1' instead of '1.10c1'). +* CSRF token values are now required to be strings of 64 alphanumerics; values + of 32 alphanumerics, as set by older versions of Django by default, are + automatically replaced by strings of 64 characters. Other values are + considered invalid. This should only affect developers or users who replace + these tokens. + * The ``LOGOUT_URL`` setting is removed as Django hasn't made use of it since pre-1.0. If you use it in your project, you can add it to your project's settings. The default value was ``'/accounts/logout/'``. |
