- ru
- Language: en
- Documentation version: 3
3.0.3 Release Notes¶
Channels 3.0.3 fixes a security issue in Channels 3.0.2
CVE-2020-35681: Potential leakage of session identifiers using legacy AsgiHandler
¶
The legacy channels.http.AsgiHandler
class, used for handling HTTP type
requests in an ASGI environment prior to Django 3.0, did not correctly separate
request scopes in Channels 3.0. In many cases this would result in a crash but,
with correct timing responses could be sent to the wrong client, resulting in
potential leakage of session identifiers and other sensitive data.
This issue affects Channels 3.0.x before 3.0.3, and is resolved in Channels 3.0.3.
Users of ProtocolTypeRouter
not explicitly specifying the handler for the
'http'
key, or those explicitly using channels.http.AsgiHandler
, likely
to support Django v2.2, are affected and should update immediately.
Note that both an unspecified handler for the 'http'
key and using
channels.http.AsgiHandler
are deprecated, and will raise a warning, from
Channels v3.0.0
This issue affects only the legacy channels provided class, and not Django’s
similar ASGIHandler
, available from Django 3.0. It is recommended to update
to Django 3.0+ and use the Django provided ASGIHandler
.
A simplified asgi.py
script will look like this:
import os
from django.conf.urls import url
from django.core.asgi import get_asgi_application
# Fetch Django ASGI application early to ensure AppRegistry is populated
# before importing consumers and AuthMiddlewareStack that may import ORM
# models.
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "mysite.settings")
django_asgi_app = get_asgi_application()
# Import other Channels classes and consumers here.
from channels.routing import ProtocolTypeRouter, URLRouter
application = ProtocolTypeRouter({
# Explicitly set 'http' key using Django's ASGI application.
"http": django_asgi_app,
),
})
Please see Deploying for a more complete example.