[Django] #20887: Document GzipMiddleware security issues
Django
-------------------------------+--------------------
Reporter: EvilDMP | Owner: nobody
Type: Uncategorized | Status: new
Component: Documentation | Version: 1.5
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
https://docs.djangoproject.com/en/dev/ref/middleware/#django.middleware.gzip.GZipMiddleware
doesn't provide any caveats.
https://docs.djangoproject.com/en/dev/topics/cache/#other-optimizations
seems to say that GZipMiddleware is a jolly good idea.
In light of https://code.djangoproject.com/ticket/20869 and
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/, what
should the docs have to say about using it?
If there is a security issue presented by it right now, what should be
done about the existing 1.5 (or even earlier) documentation that mentions
it?
--
Ticket URL: <https://code.djangoproject.com/ticket/20887>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: EvilDMP | Owner: nobody
Type: Bug | Status: new
Component: Documentation | Version: 1.5
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* needs_better_patch: => 0
* needs_docs: => 0
* type: Uncategorized => Bug
* needs_tests: => 0
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/20887#comment:1>
Django
Reporter: EvilDMP | Owner: timo
Type: Bug | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* owner: nobody => timo
* status: new => assigned
* version: 1.5 => master
--
Ticket URL: <https://code.djangoproject.com/ticket/20887#comment:2>
Django
Reporter: EvilDMP | Owner: timo
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"da843e7dba4ae8ed2846475564bb6ded82960827"]:
{{{
#!CommitTicketReference repository=""
revision="da843e7dba4ae8ed2846475564bb6ded82960827"
Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20887#comment:3>
Django
Reporter: EvilDMP | Owner: timo
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"cca302cde6b524992d89add9b9f293d86ac8fba0"]:
{{{
#!CommitTicketReference repository=""
revision="cca302cde6b524992d89add9b9f293d86ac8fba0"
[1.4.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of
BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.
Backport of da843e7dba from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20887#comment:4>
Django
Reporter: EvilDMP | Owner: timo
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"b05639dcacdd8b2c1dd6db447ce7f20caefc5f54"]:
{{{
#!CommitTicketReference repository=""
revision="b05639dcacdd8b2c1dd6db447ce7f20caefc5f54"
[1.6.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of
BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.
Backport of da843e7dba from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20887#comment:5>
Django
Reporter: EvilDMP | Owner: timo
Type: Bug | Status: closed
Component: Documentation | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"169594f5ae09782ab1909fc3a9939a23507b4901"]:
{{{
#!CommitTicketReference repository=""
revision="169594f5ae09782ab1909fc3a9939a23507b4901"
[1.5.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of
BREACH.
Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.
Backport of da843e7dba from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20887#comment:6>