summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorTim Graham <timograham@gmail.com>2015-08-05 16:51:42 -0400
committerTim Graham <timograham@gmail.com>2015-08-18 08:15:15 -0400
commit2eb86b01d7b59be06076f6179a454d0fd0afaff6 (patch)
tree66211d34d5a0ee5e3e9db148539dbc2395e32176 /docs
parent048bccb1bea6e13113f6d5fee7b311604ff2ea1f (diff)
[1.8.x] Fixed DoS possiblity in contrib.auth.views.logout()
Thanks Florian Apolloner and Carl Meyer for review. This is a security fix.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.4.22.txt18
-rw-r--r--docs/releases/1.7.10.txt18
-rw-r--r--docs/releases/1.8.4.txt13
3 files changed, 49 insertions, 0 deletions
diff --git a/docs/releases/1.4.22.txt b/docs/releases/1.4.22.txt
index d8ce24bc68..9f8177440f 100644
--- a/docs/releases/1.4.22.txt
+++ b/docs/releases/1.4.22.txt
@@ -9,3 +9,21 @@ Django 1.4.22 fixes a security issue in 1.4.21.
It also fixes support with pip 7+ by disabling wheel support. Older versions
of 1.4 would silently build a broken wheel when installed with those versions
of pip.
+
+Denial-of-service possibility in ``logout()`` view by filling session store
+===========================================================================
+
+Previously, a session could be created when anonymously accessing the
+:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
+with :func:`~django.contrib.auth.decorators.login_required` as done in the
+admin). This could allow an attacker to easily create many new session records
+by sending repeated requests, potentially filling up the session store or
+causing other users' session records to be evicted.
+
+The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
+modified to no longer create empty session records.
+
+Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
+``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
+a new empty session. Maintainers of third-party session backends should check
+if the same vulnerability is present in their backend and correct it if so.
diff --git a/docs/releases/1.7.10.txt b/docs/releases/1.7.10.txt
index 76457bccbd..38af4a42ce 100644
--- a/docs/releases/1.7.10.txt
+++ b/docs/releases/1.7.10.txt
@@ -5,3 +5,21 @@ Django 1.7.10 release notes
*August 18, 2015*
Django 1.7.10 fixes a security issue in 1.7.9.
+
+Denial-of-service possibility in ``logout()`` view by filling session store
+===========================================================================
+
+Previously, a session could be created when anonymously accessing the
+:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
+with :func:`~django.contrib.auth.decorators.login_required` as done in the
+admin). This could allow an attacker to easily create many new session records
+by sending repeated requests, potentially filling up the session store or
+causing other users' session records to be evicted.
+
+The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
+modified to no longer create empty session records.
+
+Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
+``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
+a new empty session. Maintainers of third-party session backends should check
+if the same vulnerability is present in their backend and correct it if so.
diff --git a/docs/releases/1.8.4.txt b/docs/releases/1.8.4.txt
index 7b566441e4..e894936bcc 100644
--- a/docs/releases/1.8.4.txt
+++ b/docs/releases/1.8.4.txt
@@ -6,6 +6,19 @@ Django 1.8.4 release notes
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
+Denial-of-service possibility in ``logout()`` view by filling session store
+===========================================================================
+
+Previously, a session could be created when anonymously accessing the
+:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
+with :func:`~django.contrib.auth.decorators.login_required` as done in the
+admin). This could allow an attacker to easily create many new session records
+by sending repeated requests, potentially filling up the session store or
+causing other users' session records to be evicted.
+
+The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
+modified to no longer create empty session records.
+
Bugfixes
========