-
-
Notifications
You must be signed in to change notification settings - Fork 793
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bumped version and release notes for 3.0.3 release. (#1599)
- Loading branch information
1 parent
5b5b2d0
commit 11e94a9
Showing
4 changed files
with
68 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
__version__ = "3.0.2" | ||
__version__ = "3.0.3" | ||
|
||
try: | ||
import django | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
3.0.3 Release Notes | ||
=================== | ||
|
||
Channels 3.0.3 fixes a security issue in Channels 3.0.2 | ||
|
||
CVE-2020-35681: Potential leakage of session identifiers using legacy ``AsgiHandler`` | ||
------------------------------------------------------------------------------------- | ||
|
||
The legacy ``channels.http.AsgiHandler`` class, used for handling HTTP type | ||
requests in an ASGI environment prior to Django 3.0, did not correctly separate | ||
request scopes in Channels 3.0. In many cases this would result in a crash but, | ||
with correct timing responses could be sent to the wrong client, resulting in | ||
potential leakage of session identifiers and other sensitive data. | ||
|
||
This issue affects Channels 3.0.x before 3.0.3, and is resolved in Channels | ||
3.0.3. | ||
|
||
Users of ``ProtocolTypeRouter`` not explicitly specifying the handler for the | ||
``'http'`` key, or those explicitly using ``channels.http.AsgiHandler``, likely | ||
to support Django v2.2, are affected and should update immediately. | ||
|
||
Note that both an unspecified handler for the ``'http'`` key and using | ||
``channels.http.AsgiHandler`` are deprecated, and will raise a warning, from | ||
Channels v3.0.0 | ||
|
||
This issue affects only the legacy channels provided class, and not Django's | ||
similar ``ASGIHandler``, available from Django 3.0. It is recommended to update | ||
to Django 3.0+ and use the Django provided ``ASGIHandler``. | ||
|
||
A simplified ``asgi.py`` script will look like this: | ||
|
||
.. code-block:: python | ||
import os | ||
from django.conf.urls import url | ||
from django.core.asgi import get_asgi_application | ||
# Fetch Django ASGI application early to ensure AppRegistry is populated | ||
# before importing consumers and AuthMiddlewareStack that may import ORM | ||
# models. | ||
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "mysite.settings") | ||
django_asgi_app = get_asgi_application() | ||
# Import other Channels classes and consumers here. | ||
from channels.routing import ProtocolTypeRouter, URLRouter | ||
application = ProtocolTypeRouter({ | ||
# Explicitly set 'http' key using Django's ASGI application. | ||
"http": django_asgi_app, | ||
), | ||
}) | ||
Please see :doc:`/deploying` for a more complete example. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -32,3 +32,4 @@ Release Notes | |
3.0.0 | ||
3.0.1 | ||
3.0.2 | ||
3.0.3 |