summaryrefslogtreecommitdiff
path: root/docs/releases/1.8.15.txt
diff options
context:
space:
mode:
Diffstat (limited to 'docs/releases/1.8.15.txt')
-rw-r--r--docs/releases/1.8.15.txt18
1 files changed, 18 insertions, 0 deletions
diff --git a/docs/releases/1.8.15.txt b/docs/releases/1.8.15.txt
new file mode 100644
index 0000000000..e977cffbab
--- /dev/null
+++ b/docs/releases/1.8.15.txt
@@ -0,0 +1,18 @@
+===========================
+Django 1.8.15 release notes
+===========================
+
+*September 26, 2016*
+
+Django 1.8.15 fixes a security issue in 1.8.14.
+
+CSRF protection bypass on a site with Google Analytics
+======================================================
+
+An interaction between Google Analytics and Django's cookie parsing could allow
+an attacker to set arbitrary cookies leading to a bypass of CSRF protection.
+
+The parser for ``request.COOKIES`` is simplified to better match the behavior
+of browsers and to mitigate this attack. ``request.COOKIES`` may now contain
+cookies that are invalid according to :rfc:`6265` but are possible to set via
+``document.cookie``.
generated by cgit v1.3 (git 2.53.0) at 2026-05-01 20:57:41 +0000