#20869: Prevent repetitive output to counter BREACH-type attacks
-----------------------------+---------------------------------------------
Reporter: patrys | Owner: shaib
Type: New feature | Status: closed
Component: CSRF | Version: master
Severity: Normal | Resolution: fixed
Keywords: | Triage Stage: Ready for checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+---------------------------------------------
Comment (by shaib):
So far, this has not been treated as a critical bug, although it certainly
has security implications. There is also a minor backward-incompatibility
involved (for users or developers who changed the value of the CSRF
cookie). So, there are currently no plans to backport it. You can mitigate
the problem when using these versions by either turning off compression or
using 3rd-party solutions such as django-debreach.
--
Ticket URL: <https://code.djangoproject.com/ticket/20869#comment:43>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.eb26132b68fd483c53c85a6a6459f5c6%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
