Halaman utama Jelajahi Bantuan
Masuk
CityApper
/
django
cermin dari https://github.com/django/django
2
0
Fork 0
Berkas Masalah 0 Wiki
Pohon: c1b6f554e4
Ranting Tag
django
/
docs
/
releases
/
1.7.10.txt

1.7.10.txt 1.2 KB
Riwayat Mentahan

1234567891011121314151617181920212223242526 
  1. ===========================
    2. 

  2. Django 1.7.10 release notes
    3. 

  3. ===========================
    4. 

  4. 

  5. *August 18, 2015*
    6. 

  6. 

  7. Django 1.7.10 fixes a security issue in 1.7.9.
    8. 

  8. 

  9. Denial-of-service possibility in ``logout()`` view by filling session store
    10. 

  10. ===========================================================================
    11. 

  11. 

  12. Previously, a session could be created when anonymously accessing the
    13. 

  13. :func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
    14. 

  14. with :func:`~django.contrib.auth.decorators.login_required` as done in the
    15. 

  15. admin). This could allow an attacker to easily create many new session records
    16. 

  16. by sending repeated requests, potentially filling up the session store or
    17. 

  17. causing other users' session records to be evicted.
    18. 

  18. 

  19. The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
    20. 

  20. modified to no longer create empty session records, including when
    21. 

  21. :setting:`SESSION_SAVE_EVERY_REQUEST` is active.
    22. 

  22. 

  23. Additionally, the ``contrib.sessions.backends.base.SessionBase.flush()`` and
    24. 

  24. ``cache_db.SessionStore.flush()`` methods have been modified to avoid creating
    25. 

  25. a new empty session. Maintainers of third-party session backends should check
    26. 

  26. if the same vulnerability is present in their backend and correct it if so.
    27.