From ede59ef6f39ff8a6443c2b24df0208ef6ec41ee0 Mon Sep 17 00:00:00 2001 From: Romain Garrigues Date: Fri, 13 Jan 2017 14:17:54 +0000 Subject: Fixed #27518 -- Prevented possibie password reset token leak via HTTP Referer header. Thanks Florian Apolloner for contributing to this patch and Collin Anderson, Markus Holtermann, and Tim Graham for review. --- docs/releases/1.11.txt | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs') diff --git a/docs/releases/1.11.txt b/docs/releases/1.11.txt index 9bb9a2e903..c8f3e92f21 100644 --- a/docs/releases/1.11.txt +++ b/docs/releases/1.11.txt @@ -116,6 +116,14 @@ Minor features :class:`~django.contrib.auth.views.PasswordResetConfirmView` allows automatically logging in a user after a successful password reset. +* To avoid the possibility of leaking a password reset token via the HTTP + Referer header (for example, if the reset page includes a reference to CSS or + JavaScript hosted on another domain), the + :class:`~django.contrib.auth.views.PasswordResetConfirmView` (but not the + deprecated ``password_reset_confirm()`` function-based view) stores the token + in a session and redirects to itself to present the password change form to + the user without the token in the URL. + * :func:`~django.contrib.auth.update_session_auth_hash` now rotates the session key to allow a password change to invalidate stolen session cookies. -- cgit v1.3