2015-05-20 20:17:59 +02:00
|
|
|
|
==========================
|
|
|
|
|
Django 1.8.3 release notes
|
|
|
|
|
==========================
|
|
|
|
|
|
2015-06-16 00:29:46 +02:00
|
|
|
|
*July 8, 2015*
|
2015-05-20 20:17:59 +02:00
|
|
|
|
|
2015-06-16 00:29:46 +02:00
|
|
|
|
Django 1.8.3 fixes several security issues and bugs in 1.8.2.
|
2015-05-20 20:17:59 +02:00
|
|
|
|
|
2015-06-22 19:54:35 +02:00
|
|
|
|
Also, ``django.utils.deprecation.RemovedInDjango20Warning`` was renamed to
|
|
|
|
|
``RemovedInDjango110Warning`` as the version roadmap was revised to 1.9, 1.10,
|
|
|
|
|
1.11 (LTS), 2.0 (drops Python 2 support). For backwards compatibility,
|
|
|
|
|
``RemovedInDjango20Warning`` remains as an importable alias.
|
|
|
|
|
|
2015-06-10 23:45:20 +02:00
|
|
|
|
Denial-of-service possibility by filling session store
|
|
|
|
|
======================================================
|
|
|
|
|
|
|
|
|
|
In previous versions of Django, the session backends created a new empty record
|
|
|
|
|
in the session storage anytime ``request.session`` was accessed and there was a
|
|
|
|
|
session key provided in the request cookies that didn't already have a session
|
|
|
|
|
record. This could allow an attacker to easily create many new session records
|
|
|
|
|
simply by sending repeated requests with unknown session keys, potentially
|
|
|
|
|
filling up the session store or causing other users' session records to be
|
|
|
|
|
evicted.
|
|
|
|
|
|
|
|
|
|
The built-in session backends now create a session record only if the session
|
|
|
|
|
is actually modified; empty session records are not created. Thus this
|
|
|
|
|
potential DoS is now only possible if the site chooses to expose a
|
|
|
|
|
session-modifying view to anonymous users.
|
|
|
|
|
|
|
|
|
|
As each built-in session backend was fixed separately (rather than a fix in the
|
|
|
|
|
core sessions framework), maintainers of third-party session backends should
|
|
|
|
|
check whether the same vulnerability is present in their backend and correct
|
|
|
|
|
it if so.
|
|
|
|
|
|
2015-06-12 19:49:31 +02:00
|
|
|
|
Header injection possibility since validators accept newlines in input
|
|
|
|
|
======================================================================
|
|
|
|
|
|
|
|
|
|
Some of Django's built-in validators
|
|
|
|
|
(:class:`~django.core.validators.EmailValidator`, most seriously) didn't
|
|
|
|
|
prohibit newline characters (due to the usage of ``$`` instead of ``\Z`` in the
|
|
|
|
|
regular expressions). If you use values with newlines in HTTP response or email
|
|
|
|
|
headers, you can suffer from header injection attacks. Django itself isn't
|
|
|
|
|
vulnerable because :class:`~django.http.HttpResponse` and the mail sending
|
|
|
|
|
utilities in :mod:`django.core.mail` prohibit newlines in HTTP and SMTP
|
|
|
|
|
headers, respectively. While the validators have been fixed in Django, if
|
|
|
|
|
you're creating HTTP responses or email messages in other ways, it's a good
|
|
|
|
|
idea to ensure that those methods prohibit newlines as well. You might also
|
|
|
|
|
want to validate that any existing data in your application doesn't contain
|
|
|
|
|
unexpected newlines.
|
|
|
|
|
|
|
|
|
|
:func:`~django.core.validators.validate_ipv4_address`,
|
|
|
|
|
:func:`~django.core.validators.validate_slug`, and
|
|
|
|
|
:class:`~django.core.validators.URLValidator` are also affected, however, as
|
|
|
|
|
of Django 1.6 the ``GenericIPAddresseField``, ``IPAddressField``, ``SlugField``,
|
|
|
|
|
and ``URLField`` form fields which use these validators all strip the input, so
|
|
|
|
|
the possibility of newlines entering your data only exists if you are using
|
|
|
|
|
these validators outside of the form fields.
|
|
|
|
|
|
|
|
|
|
The undocumented, internally unused ``validate_integer()`` function is now
|
|
|
|
|
stricter as it validates using a regular expression instead of simply casting
|
|
|
|
|
the value using ``int()`` and checking if an exception was raised.
|
|
|
|
|
|
2015-06-30 00:09:21 +02:00
|
|
|
|
Denial-of-service possibility in URL validation
|
|
|
|
|
===============================================
|
|
|
|
|
|
|
|
|
|
:class:`~django.core.validators.URLValidator` included a regular expression
|
|
|
|
|
that was extremely slow to evaluate against certain invalid inputs. This regular
|
|
|
|
|
expression has been simplified and optimized.
|
|
|
|
|
|
2015-05-20 20:17:59 +02:00
|
|
|
|
Bugfixes
|
|
|
|
|
========
|
|
|
|
|
|
2015-05-22 15:54:31 +02:00
|
|
|
|
* Fixed ``BaseRangeField.prepare_value()`` to use each ``base_field``’s
|
|
|
|
|
``prepare_value()`` method (:ticket:`24841`).
|
2015-05-24 21:17:39 +02:00
|
|
|
|
|
|
|
|
|
* Fixed crash during :djadmin:`makemigrations` if a migrations module either
|
|
|
|
|
is missing ``__init__.py`` or is a file (:ticket:`24848`).
|
2015-05-24 19:05:56 +02:00
|
|
|
|
|
2015-05-26 03:03:41 +02:00
|
|
|
|
* Fixed ``QuerySet.exists()`` returning incorrect results after annotation with
|
2015-05-24 19:05:56 +02:00
|
|
|
|
``Count()`` (:ticket:`24835`).
|
2015-05-26 03:03:41 +02:00
|
|
|
|
|
|
|
|
|
* Corrected ``HStoreField.has_changed()`` (:ticket:`24844`).
|
2015-05-26 22:46:13 +02:00
|
|
|
|
|
|
|
|
|
* Reverted an optimization to the CSRF template context processor which caused
|
|
|
|
|
a regression (:ticket:`24836`).
|
2015-05-26 21:38:01 +02:00
|
|
|
|
|
|
|
|
|
* Fixed a regression which caused template context processors to overwrite
|
|
|
|
|
variables set on a ``RequestContext`` after it's created (:ticket:`24847`).
|
2015-05-27 00:18:21 +02:00
|
|
|
|
|
|
|
|
|
* Prevented the loss of ``null``/``not null`` column properties during field
|
|
|
|
|
renaming of MySQL databases (:ticket:`24817`).
|
2015-05-27 17:43:22 +02:00
|
|
|
|
|
|
|
|
|
* Fixed a crash when using a reverse one-to-one relation in
|
|
|
|
|
``ModelAdmin.list_display`` (:ticket:`24851`).
|
2015-06-01 23:06:54 +02:00
|
|
|
|
|
|
|
|
|
* Fixed quoting of SQL when renaming a field to ``AutoField`` in PostgreSQL
|
|
|
|
|
(:ticket:`24892`).
|
2015-06-02 01:27:28 +02:00
|
|
|
|
|
|
|
|
|
* Fixed lack of unique constraint when changing a field from
|
|
|
|
|
``primary_key=True`` to ``unique=True`` (:ticket:`24893`).
|
2015-05-29 13:45:36 +02:00
|
|
|
|
|
|
|
|
|
* Fixed queryset pickling when using ``prefetch_related()`` after deleting
|
|
|
|
|
objects (:ticket:`24831`).
|
2015-06-02 11:08:41 +02:00
|
|
|
|
|
|
|
|
|
* Allowed using ``choices`` longer than 1 day with ``DurationField``
|
|
|
|
|
(:ticket:`24897`).
|
2015-06-02 01:22:10 +02:00
|
|
|
|
|
|
|
|
|
* Fixed a crash when loading squashed migrations from two apps with a
|
|
|
|
|
dependency between them, where the dependent app's replaced migrations are
|
|
|
|
|
partially applied (:ticket:`24895`).
|
2015-06-02 22:23:07 +02:00
|
|
|
|
|
|
|
|
|
* Fixed recording of applied status for squashed (replacement) migrations
|
|
|
|
|
(:ticket:`24628`).
|
2015-06-05 12:10:51 +02:00
|
|
|
|
|
|
|
|
|
* Fixed queryset annotations when using ``Case`` expressions with ``exclude()``
|
|
|
|
|
(:ticket:`24833`).
|
2015-06-05 16:48:57 +02:00
|
|
|
|
|
|
|
|
|
* Corrected join promotion for multiple ``Case`` expressions. Annotating a
|
|
|
|
|
query with multiple ``Case`` expressions could unexpectedly filter out
|
|
|
|
|
results (:ticket:`24924`).
|
2015-06-04 16:51:07 +02:00
|
|
|
|
|
|
|
|
|
* Fixed usage of transforms in subqueries (:ticket:`24744`).
|
2015-06-09 23:57:21 +02:00
|
|
|
|
|
|
|
|
|
* Fixed ``SimpleTestCase.assertRaisesMessage()`` on Python 2.7.10
|
|
|
|
|
(:ticket:`24903`).
|
2015-06-04 19:03:28 +02:00
|
|
|
|
|
|
|
|
|
* Provided better backwards compatibility for the ``verbosity`` argument in
|
|
|
|
|
``optparse`` management commands by casting it to an integer
|
|
|
|
|
(:ticket:`24769`).
|
2015-06-05 13:40:51 +02:00
|
|
|
|
|
|
|
|
|
* Fixed ``prefetch_related()`` on databases other than PostgreSQL for models
|
|
|
|
|
using UUID primary keys (:ticket:`24912`).
|
2015-06-12 08:22:08 +02:00
|
|
|
|
|
|
|
|
|
* Fixed removing ``unique_together`` constraints on MySQL (:ticket:`24972`).
|
2015-06-16 17:24:59 +02:00
|
|
|
|
|
|
|
|
|
* Fixed crash when uploading images with MIME types that Pillow doesn't detect,
|
|
|
|
|
such as bitmap, in ``forms.ImageField`` (:ticket:`24948`).
|
2015-06-18 21:57:08 +02:00
|
|
|
|
|
|
|
|
|
* Fixed a regression when deleting a model through the admin that has a
|
|
|
|
|
``GenericRelation`` with a ``related_query_name`` (:ticket:`24940`).
|
2015-06-23 08:08:12 +02:00
|
|
|
|
|
|
|
|
|
* Reallowed non-ASCII values for ``ForeignKey.related_name`` on Python 3 by
|
|
|
|
|
fixing the false positive system check (:ticket:`25016`).
|
2015-06-05 22:04:24 +02:00
|
|
|
|
|
|
|
|
|
* Fixed inline forms that use a parent object that has a ``UUIDField`` primary
|
|
|
|
|
key and a child object that has an ``AutoField`` primary key
|
|
|
|
|
(:ticket:`24958`).
|
2015-06-25 12:46:11 +02:00
|
|
|
|
|
|
|
|
|
* Fixed a regression in the ``unordered_list`` template filter on certain
|
|
|
|
|
inputs (:ticket:`25031`).
|
2015-07-03 18:35:55 +02:00
|
|
|
|
|
|
|
|
|
* Fixed a regression in ``URLValidator`` that invalidated Punycode TLDs
|
|
|
|
|
(:ticket:`25059`).
|
2015-05-29 17:32:57 +02:00
|
|
|
|
|
|
|
|
|
* Improved `pyinotify` ``runserver`` polling (:ticket:`23882`).
|