diff options
| author | Tim Graham <timograham@gmail.com> | 2015-08-05 17:44:48 -0400 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2015-08-18 08:24:51 -0400 |
| commit | 2f5485346ee6f84b4e52068c04e043092daf55f7 (patch) | |
| tree | e1ec11a78988899a5abd812beb0014e4fde67d21 /docs/releases/1.7.10.txt | |
| parent | 95af89466893fee083b04b86b77c0226d031e128 (diff) | |
[1.7.x] Fixed DoS possiblity in contrib.auth.views.logout()
Refs #20936 -- When logging out/ending a session, don't create a new, empty session.
Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.
This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.
This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.
Backport of 393c0e24223c701edeb8ce7dc9d0f852f0c081ad,
088579638b160f3716dc81d194be70c72743593f, and
2dee853ed4def42b7ef1b3b472b395055543cc00 from master
Thanks Florian Apolloner and Carl Meyer for review.
This is a security fix.
Diffstat (limited to 'docs/releases/1.7.10.txt')
| -rw-r--r-- | docs/releases/1.7.10.txt | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/1.7.10.txt b/docs/releases/1.7.10.txt index 76457bccbd..38af4a42ce 100644 --- a/docs/releases/1.7.10.txt +++ b/docs/releases/1.7.10.txt @@ -5,3 +5,21 @@ Django 1.7.10 release notes *August 18, 2015* Django 1.7.10 fixes a security issue in 1.7.9. + +Denial-of-service possibility in ``logout()`` view by filling session store +=========================================================================== + +Previously, a session could be created when anonymously accessing the +:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated +with :func:`~django.contrib.auth.decorators.login_required` as done in the +admin). This could allow an attacker to easily create many new session records +by sending repeated requests, potentially filling up the session store or +causing other users' session records to be evicted. + +The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been +modified to no longer create empty session records. + +Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and +``cache_db.SessionStore.flush()`` methods have been modified to avoid creating +a new empty session. Maintainers of third-party session backends should check +if the same vulnerability is present in their backend and correct it if so. |