summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorPreston Holmes <preston@ptone.com>2014-08-11 12:04:53 -0400
committerTim Graham <timograham@gmail.com>2014-08-20 11:43:43 -0400
commit0268b855f9eab3377f2821164ef3e66037789e09 (patch)
treebcf6f506f84753a686354786522af7ae12e6d54d /docs
parentdd0c3f4ee1a30c1a1e6055061c6ba6e58c6b54d1 (diff)
[1.6.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.4.14.txt9
-rw-r--r--docs/releases/1.5.9.txt9
-rw-r--r--docs/releases/1.6.6.txt9
3 files changed, 27 insertions, 0 deletions
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt
index 6c140ee6dc..811c3f67ea 100644
--- a/docs/releases/1.4.14.txt
+++ b/docs/releases/1.4.14.txt
@@ -38,3 +38,12 @@ if a file with the uploaded name already exists.
underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
+
+``RemoteUserMiddleware`` session hijacking
+==========================================
+
+When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
+and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
+requests without an intervening logout could result in the prior user's session
+being co-opted by the subsequent user. The middleware now logs the user out on
+a failed login attempt.
diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt
index 232cbb0767..5070f0eca1 100644
--- a/docs/releases/1.5.9.txt
+++ b/docs/releases/1.5.9.txt
@@ -38,3 +38,12 @@ if a file with the uploaded name already exists.
underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
+
+``RemoteUserMiddleware`` session hijacking
+==========================================
+
+When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
+and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
+requests without an intervening logout could result in the prior user's session
+being co-opted by the subsequent user. The middleware now logs the user out on
+a failed login attempt.
diff --git a/docs/releases/1.6.6.txt b/docs/releases/1.6.6.txt
index c2ebdb9efb..e52ea6b23f 100644
--- a/docs/releases/1.6.6.txt
+++ b/docs/releases/1.6.6.txt
@@ -39,6 +39,15 @@ underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
+``RemoteUserMiddleware`` session hijacking
+==========================================
+
+When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
+and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
+requests without an intervening logout could result in the prior user's session
+being co-opted by the subsequent user. The middleware now logs the user out on
+a failed login attempt.
+
Bugfixes
========