Please sign in to comment.
[1.8.x] Fixed CVE-2016-7401 -- Fixed CSRF protection bypass on a site…
… with Google Analytics. This is a security fix. Backport of "refs #26158 -- rewrote http.parse_cookie() to better match browsers." 93a135d from master
- Loading branch information...
Showing with 87 additions and 18 deletions.
|@@ -0,0 +1,18 @@|
|Django 1.8.15 release notes|
|*September 26, 2016*|
|Django 1.8.15 fixes a security issue in 1.8.14.|
|CSRF protection bypass on a site with Google Analytics|
|An interaction between Google Analytics and Django's cookie parsing could allow|
|an attacker to set arbitrary cookies leading to a bypass of CSRF protection.|
|The parser for ``request.COOKIES`` is simplified to better match the behavior|
|of browsers and to mitigate this attack. ``request.COOKIES`` may now contain|
|cookies that are invalid according to :rfc:`6265` but are possible to set via|