diff options
| author | Preston Holmes <preston@ptone.com> | 2014-08-11 12:04:53 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2014-08-11 12:15:06 -0400 |
| commit | c9e3b9949cd55f090591fbdc4a114fcb8368b6d9 (patch) | |
| tree | 149096c96d521b893fb48d02de6324acfb621869 /docs | |
| parent | 30042d475bf084c6723c6217a21598d9247a9c41 (diff) | |
[1.4.x] Fixed #23066 -- Modified RemoteUserMiddleware to logout on REMOTE_USE change.
This is a security fix. Disclosure following shortly.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.4.14.txt | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/docs/releases/1.4.14.txt b/docs/releases/1.4.14.txt index 6c140ee6dc..811c3f67ea 100644 --- a/docs/releases/1.4.14.txt +++ b/docs/releases/1.4.14.txt @@ -38,3 +38,12 @@ if a file with the uploaded name already exists. underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``), rather than iterating through an underscore followed by a number (e.g. ``"_1"``, ``"_2"``, etc.). + +``RemoteUserMiddleware`` session hijacking +========================================== + +When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware` +and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between +requests without an intervening logout could result in the prior user's session +being co-opted by the subsequent user. The middleware now logs the user out on +a failed login attempt. |
