mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-10-31 09:41:08 +00:00
Code Issues 32 Releases Wiki Activity

Fixed CVE-2018-6188 -- Fixed information leakage in AuthenticationForm.

Browse Source 
Reverted 359370a8b8 (refs #28645).

This is a security fix.
This commit is contained in:
Tim Graham
2018-01-23 13:20:18 -05:00
parent 552abffab1
commit af33fb250e
5 changed files with 67 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
docs/releases/1.11.10.txt
View File

@@ -2,9 +2,28 @@
Django 1.11.10 release notes
============================
*Expected February 1, 2018*
*February 1, 2018*
Django 1.11.10 fixes several bugs in 1.11.9.
Django 1.11.10 fixes a security issue and several bugs in 1.11.9.
CVE-2018-6188: Information leakage in ``AuthenticationForm``
============================================================
A regression in Django 1.11.8 made
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
``confirm_login_allowed()`` method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
more sensitive details could be leaked.
This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ``ModelBackend``,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.
Bugfixes
========

23
docs/releases/2.0.2.txt
View File

@@ -2,9 +2,28 @@
Django 2.0.2 release notes
==========================
*Expected February 1, 2018*
*February 1, 2018*
Django 2.0.2 fixes several bugs in 2.0.1.
Django 2.0.2 fixes a security issue and several bugs in 2.0.1.
CVE-2018-6188: Information leakage in ``AuthenticationForm``
============================================================
A regression in Django 1.11.8 made
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
``confirm_login_allowed()`` method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
more sensitive details could be leaked.
This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ``ModelBackend``,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.
Bugfixes
========