summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRomain Garrigues <romain.garrigues@makina-corpus.com>2017-01-13 14:17:54 +0000
committerTim Graham <timograham@gmail.com>2017-01-13 09:17:54 -0500
commitede59ef6f39ff8a6443c2b24df0208ef6ec41ee0 (patch)
treeee8c155dbc4520371e06fe3251e45e283fc5115d /docs
parent91023d79ec70df9289271e63a67675ee51e7dea8 (diff)
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header.
Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review.
Diffstat (limited to 'docs')
-rw-r--r--docs/releases/1.11.txt8
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/1.11.txt b/docs/releases/1.11.txt
index 9bb9a2e903..c8f3e92f21 100644
--- a/docs/releases/1.11.txt
+++ b/docs/releases/1.11.txt
@@ -116,6 +116,14 @@ Minor features
:class:`~django.contrib.auth.views.PasswordResetConfirmView` allows
automatically logging in a user after a successful password reset.
+* To avoid the possibility of leaking a password reset token via the HTTP
+ Referer header (for example, if the reset page includes a reference to CSS or
+ JavaScript hosted on another domain), the
+ :class:`~django.contrib.auth.views.PasswordResetConfirmView` (but not the
+ deprecated ``password_reset_confirm()`` function-based view) stores the token
+ in a session and redirects to itself to present the password change form to
+ the user without the token in the URL.
+
* :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session
key to allow a password change to invalidate stolen session cookies.