<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.7.10 release notes — Django 1.8.19 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.8.19', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="top" title="Django 1.8.19 documentation" href="../contents.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.7.9 release notes" href="1.7.9.html" /> <link rel="prev" title="Django 1.7.11 release notes" href="1.7.11.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body role="document"> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.8.19 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.7.11.html" title="Django 1.7.11 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.7.9.html" title="Django 1.7.9 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.7.10"> <div class="section" id="s-django-1-7-10-release-notes"> <span id="django-1-7-10-release-notes"></span><h1>Django 1.7.10 release notes<a class="headerlink" href="#django-1-7-10-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>August 18, 2015</em></p> <p>Django 1.7.10 fixes a security issue in 1.7.9.</p> <div class="section" id="s-denial-of-service-possibility-in-logout-view-by-filling-session-store"> <span id="denial-of-service-possibility-in-logout-view-by-filling-session-store"></span><h2>Denial-of-service possibility in <code class="docutils literal"><span class="pre">logout()</span></code> view by filling session store<a class="headerlink" href="#denial-of-service-possibility-in-logout-view-by-filling-session-store" title="Permalink to this headline">¶</a></h2> <p>Previously, a session could be created when anonymously accessing the <a class="reference internal" href="../topics/auth/default.html#django.contrib.auth.views.logout" title="django.contrib.auth.views.logout"><code class="xref py py-func docutils literal"><span class="pre">django.contrib.auth.views.logout()</span></code></a> view (provided it wasn’t decorated with <a class="reference internal" href="../topics/auth/default.html#django.contrib.auth.decorators.login_required" title="django.contrib.auth.decorators.login_required"><code class="xref py py-func docutils literal"><span class="pre">login_required()</span></code></a> as done in the admin). This could allow an attacker to easily create many new session records by sending repeated requests, potentially filling up the session store or causing other users’ session records to be evicted.</p> <p>The <a class="reference internal" href="../ref/middleware.html#django.contrib.sessions.middleware.SessionMiddleware" title="django.contrib.sessions.middleware.SessionMiddleware"><code class="xref py py-class docutils literal"><span class="pre">SessionMiddleware</span></code></a> has been modified to no longer create empty session records, including when <a class="reference internal" href="../ref/settings.html#std:setting-SESSION_SAVE_EVERY_REQUEST"><code class="xref std std-setting docutils literal"><span class="pre">SESSION_SAVE_EVERY_REQUEST</span></code></a> is active.</p> <p>Additionally, the <code class="docutils literal"><span class="pre">contrib.sessions.backends.base.SessionBase.flush()</span></code> and <code class="docutils literal"><span class="pre">cache_db.SessionStore.flush()</span></code> methods have been modified to avoid creating a new empty session. Maintainers of third-party session backends should check if the same vulnerability is present in their backend and correct it if so.</p> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.7.10 release notes</a><ul> <li><a class="reference internal" href="#denial-of-service-possibility-in-logout-view-by-filling-session-store">Denial-of-service possibility in <code class="docutils literal"><span class="pre">logout()</span></code> view by filling session store</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.7.11.html">Django 1.7.11 release notes</a></li> <li>Next: <a href="1.7.9.html">Django 1.7.9 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.8.19 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.7.10 release notes</li></ul> </li></ul> </li> </ul> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.7.10.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <div><input type="text" name="q" /></div> <div><input type="submit" value="Go" /></div> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Feb 12, 2019</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.7.11.html" title="Django 1.7.11 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.7.9.html" title="Django 1.7.9 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>