From 169594f5ae09782ab1909fc3a9939a23507b4901 Mon Sep 17 00:00:00 2001
From: Tim Graham <timograham@gmail.com>
Date: Wed, 11 Sep 2013 08:17:15 -0400
Subject: [PATCH] [1.5.x] Fixed #20887 -- Added a warning to GzipMiddleware in
 light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master
---
 docs/ref/middleware.txt | 14 ++++++++++++++
 docs/topics/cache.txt   |  5 ++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/ref/middleware.txt b/docs/ref/middleware.txt
index 92b69a2fa8..92b496537f 100644
--- a/docs/ref/middleware.txt
+++ b/docs/ref/middleware.txt
@@ -90,6 +90,20 @@ GZip middleware
 
 .. class:: GZipMiddleware
 
+.. warning::
+
+    Security researchers recently revealed that when compression techniques
+    (including ``GZipMiddleware``) are used on a website, the site becomes
+    exposed to a number of possible attacks. These approaches can be used to
+    compromise, amongst other things, Django's CSRF protection. Before using
+    ``GZipMiddleware`` on your site, you should consider very carefully whether
+    you are subject to these attacks. If you're in *any* doubt about whether
+    you're affected, you should avoid using ``GZipMiddleware``. For more
+    details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.
+
+    .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
+    .. _breachattack.com: http://breachattack.com
+
 Compresses content for browsers that understand GZip compression (all modern
 browsers).
 
diff --git a/docs/topics/cache.txt b/docs/topics/cache.txt
index 2ec57ca6eb..1ef6dfe8ee 100644
--- a/docs/topics/cache.txt
+++ b/docs/topics/cache.txt
@@ -1147,7 +1147,10 @@ site's performance:
   and ``Last-Modified`` headers.
 
 * :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all
-  modern browsers, saving bandwidth and transfer time.
+  modern browsers, saving bandwidth and transfer time. Be warned, however,
+  that compression techniques like ``GZipMiddleware`` are subject to attacks.
+  See the warning in :class:`~django.middleware.gzip.GZipMiddleware` for
+  details.
 
 Order of MIDDLEWARE_CLASSES
 ===========================