summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorPreston Holmes <preston@ptone.com>2014-07-27 21:54:29 -0700
committerTim Graham <timograham@gmail.com>2014-08-20 14:39:40 -0400
commit5307ce565fbedb9cc27cbe7c757b41a00438d37c (patch)
tree295d07a06ed1cefb7a695e764c96420e6aebda81 /docs
parent0d8d30b7ddfe83ab03120f4560c7aa153f4d0ed1 (diff)
Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USER change.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.4.14.txt9
-rw-r--r--docs/releases/1.5.9.txt9
-rw-r--r--docs/releases/1.6.6.txt9
3 files changed, 27 insertions, 0 deletions
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt
index 6c140ee6dc..811c3f67ea 100644
--- a/docs/releases/1.4.14.txt
+++ b/docs/releases/1.4.14.txt
@@ -38,3 +38,12 @@ if a file with the uploaded name already exists.
underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
+
+``RemoteUserMiddleware`` session hijacking
+==========================================
+
+When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
+and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
+requests without an intervening logout could result in the prior user's session
+being co-opted by the subsequent user. The middleware now logs the user out on
+a failed login attempt.
diff --git a/docs/releases/1.5.9.txt b/docs/releases/1.5.9.txt
index 232cbb0767..5070f0eca1 100644
--- a/docs/releases/1.5.9.txt
+++ b/docs/releases/1.5.9.txt
@@ -38,3 +38,12 @@ if a file with the uploaded name already exists.
underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
+
+``RemoteUserMiddleware`` session hijacking
+==========================================
+
+When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
+and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
+requests without an intervening logout could result in the prior user's session
+being co-opted by the subsequent user. The middleware now logs the user out on
+a failed login attempt.
diff --git a/docs/releases/1.6.6.txt b/docs/releases/1.6.6.txt
index c2ebdb9efb..e52ea6b23f 100644
--- a/docs/releases/1.6.6.txt
+++ b/docs/releases/1.6.6.txt
@@ -39,6 +39,15 @@ underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).
+``RemoteUserMiddleware`` session hijacking
+==========================================
+
+When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
+and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
+requests without an intervening logout could result in the prior user's session
+being co-opted by the subsequent user. The middleware now logs the user out on
+a failed login attempt.
+
Bugfixes
========