django/docs/releases/1.8.10.txt

===========================
Django 1.8.10 release notes
===========================

*March 1, 2015*

Django 1.8.10 fixes two security issues and several bugs in 1.8.9.

CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
===============================================================================================================

Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security check for these
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
with basic authentication credentials "safe" when they shouldn't be.

For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
considered safe if the request's host is ``http://mysite.example.com``, but
redirecting to this URL sends the user to ``attacker.com``.

Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.

Bugfixes
========

* Fixed a crash on PostgreSQL that prevented using ``TIME_ZONE=None`` and
  ``USE_TZ=False`` (:ticket:`26177`).

* Added system checks for query name clashes of hidden relationships
  (:ticket:`26162`).

* Made ``forms.FileField`` and ``utils.translation.lazy_number()`` picklable
  (:ticket:`26212`).

* Fixed :class:`~django.contrib.postgres.fields.RangeField` and
  :class:`~django.contrib.postgres.fields.ArrayField` serialization with
  ``None`` values (:ticket:`26215`).

* Reallowed dashes in top-level domain names of URLs checked by
  ``URLValidator`` to fix a regression in Django 1.8 (:ticket:`26204`).

* Fixed ``BoundField`` to reallow slices of subwidgets (:ticket:`26267`).

* Prevented ``ContentTypeManager`` instances from sharing their cache
  (:ticket:`26286`).