Denial-of-service possibility in logout() view by filling
session store
Previously, a session could be created when anonymously
accessing the django.contrib.auth.views.logout view
(provided it wasn't decorated with django.contrib.auth.decorators.login_required
as done in the admin). This could allow an attacker to
easily create many new session records by sending repeated
requests, potentially filling up the session store or
causing other users' session records to be evicted.
The django.contrib.sessions.middleware.SessionMiddleware
has been modified to no longer create empty session records.
This portion of the fix has been assigned CVE-2015-5963.
Additionally, on the 1.4 and 1.7 series only, the
contrib.sessions.backends.base.SessionBase.flush() and
cache_db.SessionStore.flush() methods have been modified
to avoid creating a new empty session. Maintainers of
third-party session backends should check if the same
vulnerability is present in their backend and correct
it if so.
This portion of the fix has been assigned CVE-2015-5964.
Anyone reporting a similar vulnerability in a third-party
session backend should not use this CVE ID.
Thanks Lin Hua Cheng for reporting the issue.