#27352 closed Cleanup/optimization (fixed)
Warn about social media fingerprinting when using redirect_authenticated_user
| Reported by: | Markus Holtermann | Owned by: | Markus Holtermann |
|---|---|---|---|
| Component: | Documentation | Version: | 1.10 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Ready for checkin | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Public disclosure after talking with security team.
Django 1.10 introduced redirect_authenticated_user to the login views. A report I came across the other day (https://robinlinus.github.io/socialmedia-leak/) points out how that redirects on GET for authenticated users can potentially be used to gain the login state of a user for a site.
I believe we should warn users about that issue. Reverting 10781b4c6ff981f581157957d221e7621e0bf4ed (#12233) doesn't seem necessary to me. It is a useful feature if you know you don't serve image files from those domains.
Change History (4)
comment:1 by , 8 years ago
| Has patch: | set |
|---|---|
| Needs documentation: | unset |
comment:2 by , 8 years ago
| Triage Stage: | Unreviewed → Ready for checkin |
|---|
Note:
See TracTickets
for help on using tickets.
PR: https://github.com/django/django/pull/7403