[1.6.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.
Backport of da843e7dba
from master
This commit is contained in:
parent
4f0ea1aca4
commit
b05639dcac
|
@ -79,6 +79,20 @@ GZip middleware
|
|||
|
||||
.. class:: GZipMiddleware
|
||||
|
||||
.. warning::
|
||||
|
||||
Security researchers recently revealed that when compression techniques
|
||||
(including ``GZipMiddleware``) are used on a website, the site becomes
|
||||
exposed to a number of possible attacks. These approaches can be used to
|
||||
compromise, amongst other things, Django's CSRF protection. Before using
|
||||
``GZipMiddleware`` on your site, you should consider very carefully whether
|
||||
you are subject to these attacks. If you're in *any* doubt about whether
|
||||
you're affected, you should avoid using ``GZipMiddleware``. For more
|
||||
details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.
|
||||
|
||||
.. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
|
||||
.. _breachattack.com: http://breachattack.com
|
||||
|
||||
Compresses content for browsers that understand GZip compression (all modern
|
||||
browsers).
|
||||
|
||||
|
|
|
@ -1173,7 +1173,10 @@ site's performance:
|
|||
and ``Last-Modified`` headers.
|
||||
|
||||
* :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all
|
||||
modern browsers, saving bandwidth and transfer time.
|
||||
modern browsers, saving bandwidth and transfer time. Be warned, however,
|
||||
that compression techniques like ``GZipMiddleware`` are subject to attacks.
|
||||
See the warning in :class:`~django.middleware.gzip.GZipMiddleware` for
|
||||
details.
|
||||
|
||||
Order of MIDDLEWARE_CLASSES
|
||||
===========================
|
||||
|
|
Loading…
Reference in New Issue