2015-07-14 19:28:55 +08:00
|
|
|
===========================
|
|
|
|
|
Django 1.4.22 release notes
|
|
|
|
|
===========================
|
|
|
|
|
|
2015-08-08 06:26:40 +08:00
|
|
|
*August 18, 2015*
|
2015-07-14 19:28:55 +08:00
|
|
|
|
2015-08-08 06:26:40 +08:00
|
|
|
Django 1.4.22 fixes a security issue in 1.4.21.
|
|
|
|
|
|
|
|
|
|
It also fixes support with pip 7+ by disabling wheel support. Older versions
|
|
|
|
|
of 1.4 would silently build a broken wheel when installed with those versions
|
|
|
|
|
of pip.
|
2015-08-06 04:51:42 +08:00
|
|
|
|
|
|
|
|
Denial-of-service possibility in ``logout()`` view by filling session store
|
|
|
|
|
===========================================================================
|
|
|
|
|
|
|
|
|
|
Previously, a session could be created when anonymously accessing the
|
|
|
|
|
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
|
|
|
|
|
with :func:`~django.contrib.auth.decorators.login_required` as done in the
|
|
|
|
|
admin). This could allow an attacker to easily create many new session records
|
|
|
|
|
by sending repeated requests, potentially filling up the session store or
|
|
|
|
|
causing other users' session records to be evicted.
|
|
|
|
|
|
|
|
|
|
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
|
2015-10-30 04:56:16 +08:00
|
|
|
modified to no longer create empty session records, including when
|
|
|
|
|
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.
|
2015-08-06 04:51:42 +08:00
|
|
|
|
|
|
|
|
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
|
|
|
|
|
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
|
|
|
|
|
a new empty session. Maintainers of third-party session backends should check
|
|
|
|
|
if the same vulnerability is present in their backend and correct it if so.
|
