mirror of
https://github.com/django/django.git
synced 2024-11-30 15:10:46 +01:00
51 lines
2.0 KiB
Plaintext
51 lines
2.0 KiB
Plaintext
==========================
|
|
Django 1.8.4 release notes
|
|
==========================
|
|
|
|
*August 18, 2015*
|
|
|
|
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
|
|
|
|
Denial-of-service possibility in ``logout()`` view by filling session store
|
|
===========================================================================
|
|
|
|
Previously, a session could be created when anonymously accessing the
|
|
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
|
|
with :func:`~django.contrib.auth.decorators.login_required` as done in the
|
|
admin). This could allow an attacker to easily create many new session records
|
|
by sending repeated requests, potentially filling up the session store or
|
|
causing other users' session records to be evicted.
|
|
|
|
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
|
|
modified to no longer create empty session records, including when
|
|
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Added the ability to serialize values from the newly added
|
|
:class:`~django.db.models.UUIDField` (:ticket:`25019`).
|
|
|
|
* Added a system check warning if the old ``TEMPLATE_*`` settings are defined
|
|
in addition to the new ``TEMPLATES`` setting.
|
|
|
|
* Fixed ``QuerySet.raw()`` so ``InvalidQuery`` is not raised when using the
|
|
``db_column`` name of a ``ForeignKey`` field with ``primary_key=True``
|
|
(:ticket:`12768`).
|
|
|
|
* Prevented an exception in ``TestCase.setUpTestData()`` from leaking the
|
|
transaction (:ticket:`25176`).
|
|
|
|
* Fixed ``has_changed()`` method in ``contrib.postgres.forms.HStoreField``
|
|
(:ticket:`25215`, :ticket:`25233`).
|
|
|
|
* Fixed the recording of squashed migrations when running the ``migrate``
|
|
command (:ticket:`25231`).
|
|
|
|
* Moved the :ref:`unsaved model instance assignment data loss check
|
|
<unsaved-model-instance-check-18>` to ``Model.save()`` to allow easier usage
|
|
of in-memory models (:ticket:`25160`).
|
|
|
|
* Prevented ``varchar_patterns_ops`` and ``text_patterns_ops`` indexes for
|
|
``ArrayField`` (:ticket:`25180`).
|