Skip to content
Pull request Compare This branch is 371 commits ahead, 10320 commits behind master.
Latest commit 575f59f @timgraham timgraham [1.4.x] Fixed DoS possiblity in contrib.auth.views.logout()
Refs #20936 -- When logging out/ending a session, don't create a new, empty session.

Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.

This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.

This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.

Backport of 393c0e2,
0885796, and
2dee853 from master

Thanks Florian Apolloner and Carl Meyer for review.

This is a security fix.
..
Failed to load latest commit information.
admin [1.4.x] Fixed #23754 -- Always allowed reference to the primary key i…
admindocs Pulled admindocs translations updates from Transifex. Refs #17822.
auth
comments [1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by m…
contenttypes [1.4.x] Added ALLOWED_HOSTS setting for HTTP host header validation.
databrowse Added basic tests for databrowse. Refs #5968.
flatpages Pulled flatpages translations updates from Transifex. Refs #17822.
formtools Pulled formtools translations updates from Transifex. Refs #17822.
gis [1.4.x] Fixed #20036 -- Improved GEOS version string parsing
humanize Pulled humanize translations updates from Transifex. Refs #17822.
localflavor Pulled localflavor translations updates from Transifex. Refs #17822.
markup [1.4.X] Fixed #18104 -- Added missing parentheses around two-lines de…
messages Pulled messages translations updates from Transifex. Refs #17822.
redirects Pulled redirects translations updates from Transifex. Refs #17822.
sessions [1.4.x] Fixed DoS possiblity in contrib.auth.views.logout()
sitemaps
sites [1.4.x] Added ALLOWED_HOSTS setting for HTTP host header validation.
staticfiles [1.4.X] Set the post process cache when finished instead of one by one.
syndication Converted some of the built-in views to use content_type instead of m…
webdesign Replaced old-style with new-style decorator syntax.
__init__.py Created django.contrib and moved comments into it
Something went wrong with that request. Please try again.