diff options
| author | Preston Holmes <preston@ptone.com> | 2014-08-11 12:04:53 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-20 11:43:43 -0400 |
| commit | 0268b855f9eab3377f2821164ef3e66037789e09 (patch) | |
| tree | bcf6f506f84753a686354786522af7ae12e6d54d /docs | |
| parent | dd0c3f4ee1a30c1a1e6055061c6ba6e58c6b54d1 (diff) | |
[1.6.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.4.14.txt | 9 | ||||
| -rw-r--r-- | docs/releases/1.5.9.txt | 9 | ||||
| -rw-r--r-- | docs/releases/1.6.6.txt | 9 |
3 files changed, 27 insertions, 0 deletions
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt index 6c140ee6dc..811c3f67ea 100644 --- a/docs/releases/1.4.14.txt +++ b/docs/releases/1.4.14.txt @@ -38,3 +38,12 @@ if a file with the uploaded name already exists. underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``), rather than iterating through an underscore followed by a number (e.g. ``"_1"``, ``"_2"``, etc.). + +``RemoteUserMiddleware`` session hijacking +========================================== + +When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware` +and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between +requests without an intervening logout could result in the prior user's session +being co-opted by the subsequent user. The middleware now logs the user out on +a failed login attempt. diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt index 232cbb0767..5070f0eca1 100644 --- a/docs/releases/1.5.9.txt +++ b/docs/releases/1.5.9.txt @@ -38,3 +38,12 @@ if a file with the uploaded name already exists. underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``), rather than iterating through an underscore followed by a number (e.g. ``"_1"``, ``"_2"``, etc.). + +``RemoteUserMiddleware`` session hijacking +========================================== + +When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware` +and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between +requests without an intervening logout could result in the prior user's session +being co-opted by the subsequent user. The middleware now logs the user out on +a failed login attempt. diff --git a/docs/releases/1.6.6.txt b/docs/releases/1.6.6.txt index c2ebdb9efb..e52ea6b23f 100644 --- a/docs/releases/1.6.6.txt +++ b/docs/releases/1.6.6.txt @@ -39,6 +39,15 @@ underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``), rather than iterating through an underscore followed by a number (e.g. ``"_1"``, ``"_2"``, etc.). +``RemoteUserMiddleware`` session hijacking +========================================== + +When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware` +and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between +requests without an intervening logout could result in the prior user's session +being co-opted by the subsequent user. The middleware now logs the user out on +a failed login attempt. + Bugfixes ======== |
