Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#20887 closed Bug (fixed)

Document GzipMiddleware security issues

Reported by: Daniele Procida Owned by: Tim Graham
Component: Documentation Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

https://docs.djangoproject.com/en/dev/ref/middleware/#django.middleware.gzip.GZipMiddleware doesn't provide any caveats. https://docs.djangoproject.com/en/dev/topics/cache/#other-optimizations seems to say that GZipMiddleware is a jolly good idea.

In light of https://code.djangoproject.com/ticket/20869 and https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/, what should the docs have to say about using it?

If there is a security issue presented by it right now, what should be done about the existing 1.5 (or even earlier) documentation that mentions it?

Change History (6)

comment:1 Changed 3 years ago by Tim Graham

Triage Stage: UnreviewedAccepted
Type: UncategorizedBug

comment:2 Changed 3 years ago by Tim Graham

Owner: changed from nobody to Tim Graham
Status: newassigned
Version: 1.5master

comment:3 Changed 3 years ago by Tim Graham <timograham@…>

Resolution: fixed
Status: assignedclosed

In da843e7dba4ae8ed2846475564bb6ded82960827:

Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

comment:4 Changed 3 years ago by Tim Graham <timograham@…>

In cca302cde6b524992d89add9b9f293d86ac8fba0:

[1.4.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master

comment:5 Changed 3 years ago by Tim Graham <timograham@…>

In b05639dcacdd8b2c1dd6db447ce7f20caefc5f54:

[1.6.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master

comment:6 Changed 3 years ago by Tim Graham <timograham@…>

In 169594f5ae09782ab1909fc3a9939a23507b4901:

[1.5.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master

Note: See TracTickets for help on using tickets.
Back to Top