lucumr

Today we have to push Werkzeug 0.3.1. 0.3 and below had a possible cryptographic weakness in the secure cookie that would allow attackers to inject additional information into the cookie. 0.3.1 fixes that and can be downloaded from the cheeseshop.

werkzeug.contrib.securecookie is still an undocumented module but used widely. There is a small API change that removed SecureCookie.new_salt. Also keep in mind that this fix automatically invalidates all existing cookies will be reinitialized with new values on the first request a user causes which usually means that the user is logged out automatically.

We’re sorry for the inconveniences caused.

• the patch
• 0.3.1 in the cheeseshop

This entry was posted on Tuesday, June 24th, 2008 at 7:43 am and tagged as werkzeug, announcement. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.