mirrors/wagtail
mirrors/wagtail
0
0
Fork 0
mirror of https://github.com/wagtail/wagtail.git synced 2024-11-29 17:36:49 +01:00
Code Issues Releases Wiki Activity
882f8f3cf8
wagtail/docs/releases/2.2.rst
acrewdson 882f8f3cf8 Strip Unicode NULL chars when normalizing paths 
After migrating a Wagtail-based site from MySQL to Postgres, we
noticed that malicious requests to the site that included percent-
encoded Unicode NULLs (`%00`) raised a `ValueError` exception that we
hadn't seen when using MySQL: `A string literal cannot contain NUL
(0x00) characters.` This appears to relate to `psycopg2`'s decision to
raise an exception in these situations, as discussed here:

    https://github.com/psycopg/psycopg2/issues/420

While newer versions of Django appear to provide some field validation
that addresses these characters, it doesn't look like Wagtail's
redirect middleware is making use of those validators, and so it seemed
reasonable to clean these characters in the context of 'normalizing'
the paths before looking for corresponding redirects -- especially
since a quick investigation on the internet suggests that U+0000 in
URLs can be used as a means of attack, and also since RFC 3986 says:

   Note, however, that the "%00" percent-encoding (NUL) may require
   special handling and should be rejected if the application is not
   expecting to receive raw data within a component.
2018-06-27 11:19:36 -04:00

54 lines
3.3 KiB
ReStructuredText
Raw Blame History

==========================================
Wagtail 2.2 release notes - IN DEVELOPMENT
==========================================
.. contents::
:local:
:depth: 1
What's new
==========
Other features
~~~~~~~~~~~~~~
* Added another valid AudioBoom oEmbed pattern (Bertrand Bordage)
* Added ``annotate_score`` support to PostgreSQL search backend (Bertrand Bordage)
* Pillow's image optimisation is now applied when saving PNG images (Dmitry Vasilev)
* JS / CSS media files can now be associated with Draftail feature definitions (Matt Westcott)
* The ``{% slugurl %}`` template tag is now site-aware (Samir Shah)
* Added ``file_size`` field to documents (Karl Hobley)
* Added ``file_hash`` field to images (Karl Hobley)
* Update documentation (configuring Django for Wagtail) to contain all current settings options (Matt Westcott, LB (Ben Johnston))
* Added ``defer`` flag to ``PageQuerySet.specific`` (Karl Hobley)
* Snippets can now be deleted from the listing view (LB (Ben Johnston))
* Increased max length of redirect URL field to 255 (Michael Harrison)
* Added documentation for new JS/CSS media files association with Draftail feature definitions (Ed Henderson)
* Added accessible colour contrast guidelines to the style guide (Catherine Farman)
* Added faceted search using the ``.facet()`` method (Karl Hobley)
* Admin modal views no longer rely on Javascript ``eval()``, for better CSP compliance (Matt Westcott)
Bug fixes
~~~~~~~~~
* Handle all exceptions from ``Image.get_file_size`` (Andrew Plummer)
* Fix display of breadcrumbs in ModelAdmin (LB (Ben Johnston))
* Remove duplicate border radius of avatars (Benjamin Thurm)
* Site.get_site_root_paths() preferring other sites over the default when some sites share the same root_page (Andy Babic)
* Pages with missing model definitions no longer crash the API (Abdulmalik Abdulwahab)
* Strip null characters from paths when checking for redirects (Andrew Crewdson)
Upgrade considerations
======================
JavaScript templates in modal workflows are deprecated
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The ``wagtail.admin.modal_workflow`` module (used internally by Wagtail to handle modal popup interfaces such as the page chooser) has been updated to avoid returning JavaScript code as part of HTTP responses. User code that relies on this functionality can be updated as follows:
* Eliminate template tags from the .js template. Any dynamic data needed by the template can instead be passed in a dict to ``render_modal_workflow``, as a keyword argument ``json_data``; this data will then be available as the second parameter of the JavaScript function.
* At the point where you call the ``ModalWorkflow`` constructor, add an ``onload`` option - a dictionary of functions to be called on loading each step of the workflow. Move the code from the .js template into this dictionary. Then, on the call to ``render_modal_workflow``, rather than passing the .js template name (which should now be replaced by ``None``), pass a ``step`` item in the ``json_data`` dictionary to indicate the ``onload`` function to be called.
Additionally, if your code calls ``loadResponseText`` as part of a jQuery AJAX callback, this should now be passed all three arguments from the callback (the response data, status string and XMLHttpRequest object).
View Git Blame Copy Permalink