Django 1.7.10 release notes¶
August 18, 2015
Django 1.7.10 fixes a security issue in 1.7.9.
Denial-of-service possibility in
logout() view by filling session store¶
Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout() view (provided it wasn’t decorated
login_required() as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users’ session records to be evicted.
SessionMiddleware has been
modified to no longer create empty session records, including when
SESSION_SAVE_EVERY_REQUEST is active.
cache_db.SessionStore.flush() methods have been modified to avoid creating
a new empty session. Maintainers of third-party session backends should check
if the same vulnerability is present in their backend and correct it if so.