Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.
  • Loading branch information...
commit da843e7dba4ae8ed2846475564bb6ded82960827 1 parent 5eca021
Tim Graham authored September 11, 2013
14  docs/ref/middleware.txt
@@ -79,6 +79,20 @@ GZip middleware
79 79
 
80 80
 .. class:: GZipMiddleware
81 81
 
  82
+.. warning::
  83
+
  84
+    Security researchers recently revealed that when compression techniques
  85
+    (including ``GZipMiddleware``) are used on a website, the site becomes
  86
+    exposed to a number of possible attacks. These approaches can be used to
  87
+    compromise, amongst other things, Django's CSRF protection. Before using
  88
+    ``GZipMiddleware`` on your site, you should consider very carefully whether
  89
+    you are subject to these attacks. If you're in *any* doubt about whether
  90
+    you're affected, you should avoid using ``GZipMiddleware``. For more
  91
+    details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.
  92
+
  93
+    .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
  94
+    .. _breachattack.com: http://breachattack.com
  95
+
82 96
 Compresses content for browsers that understand GZip compression (all modern
83 97
 browsers).
84 98
 
5  docs/topics/cache.txt
@@ -1173,7 +1173,10 @@ site's performance:
1173 1173
   and ``Last-Modified`` headers.
1174 1174
 
1175 1175
 * :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all
1176  
-  modern browsers, saving bandwidth and transfer time.
  1176
+  modern browsers, saving bandwidth and transfer time. Be warned, however,
  1177
+  that compression techniques like ``GZipMiddleware`` are subject to attacks.
  1178
+  See the warning in :class:`~django.middleware.gzip.GZipMiddleware` for
  1179
+  details.
1177 1180
 
1178 1181
 Order of MIDDLEWARE_CLASSES
1179 1182
 ===========================

0 notes on commit da843e7

Please sign in to comment.
Something went wrong with that request. Please try again.