+67
-1
lines changedFilter options
+67
-1
lines changed Original file line number Diff line number Diff line change
@@ -36,7 +36,7 @@ def process_response(self, request, response):
36 36
else:
37 37
if accessed:
38 38
patch_vary_headers(response, ('Cookie',))
39 -
if modified or settings.SESSION_SAVE_EVERY_REQUEST:
39 +
if (modified or settings.SESSION_SAVE_EVERY_REQUEST) and not empty:
40 40
if request.session.get_expire_at_browser_close():
41 41
max_age = None
42 42
expires = None
@@ -9,3 +9,21 @@ Django 1.4.22 fixes a security issue in 1.4.21.
9 9
It also fixes support with pip 7+ by disabling wheel support. Older versions
10 10
of 1.4 would silently build a broken wheel when installed with those versions
11 11
of pip.
12 + 13 +
Denial-of-service possibility in ``logout()`` view by filling session store
14 +
===========================================================================
15 + 16 +
Previously, a session could be created when anonymously accessing the
17 +
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
18 +
with :func:`~django.contrib.auth.decorators.login_required` as done in the
19 +
admin). This could allow an attacker to easily create many new session records
20 +
by sending repeated requests, potentially filling up the session store or
21 +
causing other users' session records to be evicted.
22 + 23 +
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
24 +
modified to no longer create empty session records.
25 + 26 +
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
27 +
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
28 +
a new empty session. Maintainers of third-party session backends should check
29 +
if the same vulnerability is present in their backend and correct it if so.
Original file line number Diff line number Diff line change
@@ -5,3 +5,21 @@ Django 1.7.10 release notes
5 5
*August 18, 2015*
6 6 7 7
Django 1.7.10 fixes a security issue in 1.7.9.
8 + 9 +
Denial-of-service possibility in ``logout()`` view by filling session store
10 +
===========================================================================
11 + 12 +
Previously, a session could be created when anonymously accessing the
13 +
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
14 +
with :func:`~django.contrib.auth.decorators.login_required` as done in the
15 +
admin). This could allow an attacker to easily create many new session records
16 +
by sending repeated requests, potentially filling up the session store or
17 +
causing other users' session records to be evicted.
18 + 19 +
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
20 +
modified to no longer create empty session records.
21 + 22 +
Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
23 +
``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
24 +
a new empty session. Maintainers of third-party session backends should check
25 +
if the same vulnerability is present in their backend and correct it if so.
Original file line number Diff line number Diff line change
@@ -6,6 +6,19 @@ Django 1.8.4 release notes
6 6 7 7
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
8 8 9 +
Denial-of-service possibility in ``logout()`` view by filling session store
10 +
===========================================================================
11 + 12 +
Previously, a session could be created when anonymously accessing the
13 +
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
14 +
with :func:`~django.contrib.auth.decorators.login_required` as done in the
15 +
admin). This could allow an attacker to easily create many new session records
16 +
by sending repeated requests, potentially filling up the session store or
17 +
causing other users' session records to be evicted.
18 + 19 +
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
20 +
modified to no longer create empty session records.
21 + 9 22
Bugfixes
10 23
========
11 24
@@ -660,6 +660,23 @@ def test_session_delete_on_end_with_custom_domain(self):
660 660
str(response.cookies[settings.SESSION_COOKIE_NAME])
661 661
)
662 662 663 +
def test_flush_empty_without_session_cookie_doesnt_set_cookie(self):
664 +
request = RequestFactory().get('/')
665 +
response = HttpResponse('Session test')
666 +
middleware = SessionMiddleware()
667 + 668 +
# Simulate a request that ends the session
669 +
middleware.process_request(request)
670 +
request.session.flush()
671 + 672 +
# Handle the response through the middleware
673 +
response = middleware.process_response(request, response)
674 + 675 +
# A cookie should not be set.
676 +
self.assertEqual(response.cookies, {})
677 +
# The session is accessed so "Vary: Cookie" should be set.
678 +
self.assertEqual(response['Vary'], 'Cookie')
679 + 663 680 664 681
# Don't need DB flushing for these tests, so can use unittest.TestCase as base class
665 682
class CookieSessionTests(SessionTestsMixin, unittest.TestCase):
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4