Context Navigation

← Previous Ticket
Next Ticket →

#36560 closed Cleanup/optimization (fixed)

When the Cache-Control header is set to no-store, the response is cached.

Reported by:	mengxun	Owned by:	mengxun
Component:	HTTP handling	Version:	5.2
Severity:	Normal	Keywords:	cache
Cc:		Triage Stage:	Ready for checkin
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	yes	UI/UX:	no

Description (last modified by mengxun)

settings.py

...
MIDDLEWARE = [
    "django.middleware.cache.UpdateCacheMiddleware", 
    "django.middleware.common.CommonMiddleware",
    "django.middleware.cache.FetchFromCacheMiddleware", 
]
...

views.py

from django.http import HttpResponse
import datetime

def cache_demo(request):
    resp = HttpResponse(f"Current content at {datetime.datetime.now()}")
    resp["Cache-Control"] = "no-store"
    return resp

Based on the example above, when the Cache-Control header is set to no-store, the response content is still cached.

Change History (11)

comment:1 by mengxun, 10 months ago

Description:	modified (diff)

comment:2 by Sarah Boyce, 10 months ago

Component:	Core (Cache system) → HTTP handling
Needs tests:	set
Triage Stage:	Unreviewed → Accepted
Type:	Bug → Cleanup/optimization

Similar to #28833, can work around by using @never_cache

comment:3 by Jagadesha NH, 10 months ago

Owner:	set to Jagadesha NH
Status:	new → assigned

I can work on these changes

comment:4 by Jagadesha NH, 10 months ago

Owner:	Jagadesha NH removed
Status:	assigned → new

Seems like, someone has already raised a PR

comment:5 by Sarah Boyce, 10 months ago

Owner:	set to mengxun
Status:	new → assigned

comment:6 by Sarah Boyce, 10 months ago

Has patch:	set

comment:7 by Sarah Boyce, 10 months ago

Needs tests:	unset
Triage Stage:	Accepted → Ready for checkin

comment:8 by Sarah Boyce <42296566+sarahboyce@…>, 10 months ago

Resolution:	→ fixed
Status:	assigned → closed

In ed7c1a56:

Fixed #36560 -- Prevented UpdateCacheMiddleware from caching responses with Cache-Control 'no-cache' or 'no-store'.

comment:9 by Natalia <124304+nessita@…>, 6 days ago

In 366d9ae:

[5.2.x] Fixed CVE-2026-8404 -- Used Cache-Control directives case-insensitively in UpdateCacheMiddleware.

Thanks Ahmed Badawe for the report, and Jacob Walls for reviews.

This commit includes:

[5.2.x] Fixed #36560 -- Prevented UpdateCacheMiddleware from caching responses with Cache-Control 'no-cache' or 'no-store'.

Backport of ed7c1a56400d64f109f30df3ce697984cdad7c75 from main.

Backport of d618d7ae4fec727d5b582bd24f803c28d17bf7cd from main.

comment:10 by Jacob Walls <jacobtylerwalls@…>, 4 hours ago

In 142b881:

Refs #36560, CVE-2026-35193 -- Replaced substring check on cache-control directives in UpdateCacheMiddleware.

Avoid false positives from hypothetical extension directives
that could be superstrings of the ones we are checking.

comment:11 by Jacob Walls <jacobtylerwalls@…>, 4 hours ago

In b615947:

[6.1.x] Refs #36560, CVE-2026-35193 -- Replaced substring check on cache-control directives in UpdateCacheMiddleware.

Avoid false positives from hypothetical extension directives
that could be superstrings of the ones we are checking.

Backport of 142b881cecaddc334cabec139e701c0e4b9798da from main.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues