diff options
| author | Romain Garrigues <romain.garrigues@makina-corpus.com> | 2017-01-13 14:17:54 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-01-13 09:17:54 -0500 |
| commit | ede59ef6f39ff8a6443c2b24df0208ef6ec41ee0 (patch) | |
| tree | ee8c155dbc4520371e06fe3251e45e283fc5115d /docs | |
| parent | 91023d79ec70df9289271e63a67675ee51e7dea8 (diff) | |
Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header.
Thanks Florian Apolloner for contributing to this patch and
Collin Anderson, Markus Holtermann, and Tim Graham for review.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/releases/1.11.txt | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/docs/releases/1.11.txt b/docs/releases/1.11.txt index 9bb9a2e903..c8f3e92f21 100644 --- a/docs/releases/1.11.txt +++ b/docs/releases/1.11.txt @@ -116,6 +116,14 @@ Minor features :class:`~django.contrib.auth.views.PasswordResetConfirmView` allows automatically logging in a user after a successful password reset. +* To avoid the possibility of leaking a password reset token via the HTTP + Referer header (for example, if the reset page includes a reference to CSS or + JavaScript hosted on another domain), the + :class:`~django.contrib.auth.views.PasswordResetConfirmView` (but not the + deprecated ``password_reset_confirm()`` function-based view) stores the token + in a session and redirects to itself to present the password change form to + the user without the token in the URL. + * :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session key to allow a password change to invalidate stolen session cookies. |
