Commit cca302cd authored by Tim Graham's avatar Tim Graham
Browse files

[1.4.x] Fixed #20887 -- Added a warning to GzipMiddleware in light of BREACH. 

Thanks EvilDMP for the report and Russell Keith-Magee
for the draft text.

Backport of da843e7d from master
parent 434d122a

docs/ref/middleware.txt

+14 −0
Original line number Diff line number Diff line
@@ -90,6 +90,20 @@ GZip middleware 


.. class:: GZipMiddleware



.. warning::



    Security researchers recently revealed that when compression techniques

    (including ``GZipMiddleware``) are used on a website, the site becomes

    exposed to a number of possible attacks. These approaches can be used to

    compromise, amongst other things, Django's CSRF protection. Before using

    ``GZipMiddleware`` on your site, you should consider very carefully whether

    you are subject to these attacks. If you're in *any* doubt about whether

    you're affected, you should avoid using ``GZipMiddleware``. For more

    details, see the `the BREACH paper (PDF)`_ and `breachattack.com`_.



    .. _the BREACH paper (PDF): http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf

    .. _breachattack.com: http://breachattack.com



Compresses content for browsers that understand GZip compression (all modern

browsers).

docs/topics/cache.txt

+4 −1
Original line number Diff line number Diff line
@@ -1164,7 +1164,10 @@ site's performance: 
  and ``Last-Modified`` headers.



* :class:`django.middleware.gzip.GZipMiddleware` compresses responses for all

  modern browsers, saving bandwidth and transfer time.

  modern browsers, saving bandwidth and transfer time. Be warned, however,

  that compression techniques like ``GZipMiddleware`` are subject to attacks.

  See the warning in :class:`~django.middleware.gzip.GZipMiddleware` for

  details.



Order of MIDDLEWARE_CLASSES

===========================