mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.

Browse Source
This commit is contained in:
Andreas Pelme
2022-11-20 21:46:55 +01:00
committed by Mariusz Felisiak
parent a1bcdc94da
commit ab7a85ac29
5 changed files with 106 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
docs/ref/middleware.txt
View File

@@ -93,18 +93,33 @@ GZip middleware
.. class:: GZipMiddleware
.. warning::
.. attribute:: max_random_bytes
Security researchers recently revealed that when compression techniques
(including ``GZipMiddleware``) are used on a website, the site may become
exposed to a number of possible attacks. Before using ``GZipMiddleware`` on
your site, you should consider very carefully whether you are subject to
these attacks. If you're in *any* doubt about whether you're affected, you
should avoid using ``GZipMiddleware``. For more details, see the `the BREACH
paper (PDF)`_ and `breachattack.com`_.
Defaults to 100. Subclass ``GZipMiddleware`` and override the attribute
to change the maximum number of random bytes that is included with
compressed responses.
.. _the BREACH paper (PDF): https://www.breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
.. note::
Security researchers revealed that when compression techniques (including
``GZipMiddleware``) are used on a website, the site may become exposed to a
number of possible attacks.
To mitigate attacks, Django implements a technique called *Heal The Breach
(HTB)*. It adds up to 100 bytes (see
:attr:`.max_random_bytes`) of random bytes to each response
to make the attacks less effective.
For more details, see the `BREACH paper (PDF)`_, `breachattack.com`_, and
the `Heal The Breach (HTB) paper`_.
.. _BREACH paper (PDF): https://www.breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf
.. _breachattack.com: https://www.breachattack.com/
.. _Heal The Breach (HTB) paper: https://ieeexplore.ieee.org/document/9754554
.. versionchanged:: 4.2
Mitigation for the BREACH attack was added.
The ``django.middleware.gzip.GZipMiddleware`` compresses content for browsers
that understand GZip compression (all modern browsers).