Opened 20 months ago

Closed 19 months ago

Last modified 19 months ago

#20887 closed Bug (fixed)

Document GzipMiddleware security issues

Reported by: EvilDMP Owned by: timo
Component: Documentation Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

https://docs.djangoproject.com/en/dev/ref/middleware/#django.middleware.gzip.GZipMiddleware doesn't provide any caveats. https://docs.djangoproject.com/en/dev/topics/cache/#other-optimizations seems to say that GZipMiddleware is a jolly good idea.

In light of https://code.djangoproject.com/ticket/20869 and https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/, what should the docs have to say about using it?

If there is a security issue presented by it right now, what should be done about the existing 1.5 (or even earlier) documentation that mentions it?

Change History (6)

comment:1 Changed 20 months ago by timo

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Accepted
  • Type changed from Uncategorized to Bug

comment:2 Changed 19 months ago by timo

  • Owner changed from nobody to timo
  • Status changed from new to assigned
  • Version changed from 1.5 to master

comment:3 Changed 19 months ago by Tim Graham <timograham@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

In da843e7dba4ae8ed2846475564bb6ded82960827:

Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

comment:4 Changed 19 months ago by Tim Graham <timograham@…>

In cca302cde6b524992d89add9b9f293d86ac8fba0:

[1.4.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master

comment:5 Changed 19 months ago by Tim Graham <timograham@…>

In b05639dcacdd8b2c1dd6db447ce7f20caefc5f54:

[1.6.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master

comment:6 Changed 19 months ago by Tim Graham <timograham@…>

In 169594f5ae09782ab1909fc3a9939a23507b4901:

[1.5.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH.

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7dba from master

Note: See TracTickets for help on using tickets.
Back to Top