Fixed incorrect unique_together field name generation by inspectdb.
Corrected __len query lookup on ArrayField for empty arrays.
Restored the ability to use custom formats from formats.py with django.utils.formats.get_format() and the date template filter.
Fixed a state bug when migrating a SeparateDatabaseAndState operation backwards.
Fixed missing varchar/text_pattern_ops index on CharField and TextField respectively when using AlterField on PostgreSQL.
Fixed a state bug when using an AlterModelManagers operation.
Fixed a regression which prevented using a language not in Django’s default language list (LANGUAGES).
django.views.decorators.cache.never_cache() now sends more persuasive headers (added no-cache, no-store, must-revalidate to Cache-Control) to better prevent caching. This fixes a problem where a page refresh in Firefox cleared the selected entries in the admin’s filter_horizontal and filter_vertical widgets, which could result in inadvertent data loss if a user didn’t notice that and then submitted the form.
Fixed a regression in the admin which ignored line breaks in read-only fields instead of converting them to <br>.
Made loaddata skip disabling and enabling database constraints when it doesn’t load any fixtures.
Fixed a crash in QuerySet.values()/values_list() after an annotate() and order_by() when values()/values_list() includes a field not in the order_by()
Fixed a regression causing ModelChoiceField to ignore prefetch_related() on its queryset.
Allowed “mode=memory” in SQLite test database name if supported.
Fixed system check crash on ForeignKey to abstract model.
Fixed incorrect queries when you have multiple ManyToManyFields on different models that have the same field name, point to the same model, and have their reverse relations disabled.
Allowed filtering over a RawSQL annotation.
Made the Concat database function idempotent on SQLite.
Avoided a confusing stack trace when starting runserver with an invalid INSTALLED_APPS setting.
Made deferred models use their proxied model’s _meta.apps for caching and retrieval. This prevents any models generated in data migrations using QuerySet.defer() from leaking to test and application code.
Fixed a typo in the name of the strictly_above PostGIS lookup.
Fixed crash with contrib.postgres.forms.SplitArrayField and IntegerField on invalid value.
Added a helpful error message when Django and South migrations exist in the same directory.
Fixed a regression in URLValidator that allowed URLs with consecutive dots in the domain section (like http://example..com/) to pass.
Fixed a crash with GenericRelation and BaseModelAdmin.to_field_allowed.
Made the development server’s autoreload more robust.
Fixed AssertionError in some delete queries with a model containing a field that is both a foreign and primary key.
Fixed AssertionError in some complex queries.
Fixed a migrations crash with GenericForeignKey.
Made translation.override() clear the overridden language when a translation isn’t initially active.
Fixed crash when using a value in ModelAdmin.list_display that clashed with a reverse field on the model.
Fixed autocompletion for options of non-argparse management commands.
Alphabetized ordering of imports in from django.db import migrations, models statement in newly created migrations.
Fixed migrations crash on MySQL when adding a text or a blob field with an unhashable default.
Changed Count queries to execute COUNT(*) instead of COUNT('*') as versions of Django before 1.8 did. This may fix a performance regression on some databases.
Fixed custom queryset chaining with values() and values_list().
Moved the unsaved model instance assignment data loss check on reverse relations to Model.save().
Readded inline foreign keys to form instances when validating model formsets.
Allowed using ORM write methods after disabling autocommit with set_autocommit(False).
Fixed the manage.py test --keepdb option on Oracle.
Fixed incorrect queries with multiple many-to-many fields on a model with the same ‘to’ model and with related_name set to ‘+’.
Fixed pickling a SimpleLazyObject wrapping a mode
* Denial-of-service possibility in logout() view by filling session store.
* Bugfixes:
- Added the ability to serialize values from the newly added UUIDField.
- Added a system check warning if the old TEMPLATE_* settings are defined in addition to the new TEMPLATES setting.
- Fixed QuerySet.raw() so InvalidQuery is not raised when using the db_column name of a ForeignKey field with primary_key=True.
- Prevented an exception in TestCase.setUpTestData() from leaking the transaction.
- Fixed has_changed() method in contrib.postgres.forms.HStoreField.
- Fixed the recording of squashed migrations when running the migrate command.
- Moved the unsaved model instance assignment data loss check to Model.save() to allow easier usage of in-memory models.
- Prevented varchar_patterns_ops and text_patterns_ops indexes for ArrayField.
* Denial-of-service possibility by filling session store
* Header injection possibility since validators accept newlines in input
* Denial-of-service possibility in URL validation
* Bugfixes
These releases address a security issue in the Django admin.
* Issue: XSS attack via properties in ModelAdmin.readonly_fields
* Advisory: HTML escaping when calling template filters from Python code
Bugfixes:
* Reverted a fix that prevented a migration crash when unapplying contrib.contenttypes’s or contrib.auth’s first migration (24075) due to severe impact on the test performance (24251) and problems in multi-database setups (24298).
* Fixed a regression that prevented custom fields inheriting from ManyToManyField from being recognized in migrations (24236).
* Fixed crash in contrib.sites migrations when a default database isn’t used (24332).
* Added the ability to set the isolation level on PostgreSQL with psycopg2 ≥ 2.4.2 (24318). It was advertised as a new feature in Django 1.6 but it didn’t work in practice.
* Formats for the Azerbaijani locale (az) have been added.
* Fixed a migration crash when unapplying contrib.contenttypes’s or contrib.auth’s first migration.
* Made the migration’s RenameModel operation rename ManyToManyField tables.
* Fixed a migration crash on MySQL when migrating from a OneToOneField to a ForeignKey.
* Prevented the static.serve view from producing ResourceWarnings in certain circumstances.
* Fixed schema check for ManyToManyField to look for internal type instead of checking class instance, so you can write custom m2m-like fields with the same behaviour.
This release fixes a couple regressions in the 1.6.6 security release.
Bugfixes
Allowed related many-to-many fields to be referenced in the admin
Allowed inline and hidden references to admin fields
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
These releases address a caching issue which might lead to cache poisoning and an incorrect validation of safe redirect targets. Since these issues will affect the majority of users we strongly encourage everyone to upgrade.
Shortly after last week's security releases were issued, we received reports of a potential regression in using reverse() with views created by functools.partial. We were able to confirm the bug, and test and commit a fix for it.
These releases address an unexpected code-execution issue, a caching issue which can expose CSRF tokens and a MySQL typecasting issue. While these issues present limited risk and may not affect all Django users, we encourage all users to evaluate their own risk and upgrade as soon as possible.
Prevented the base geometry object of a prepared geometry to be garbage collected, which could lead to crash Django.
Fixed a crash when executing the changepassword command when the user object representation contained non-ASCII characters.
The collectstatic command will raise an error rather than default to using the current working directory if STATIC_ROOT is not set. Combined with the --clear option, the previous behavior could wipe anything below the current working directory.
Fixed mail encoding on Python 3.3.3+.
Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False, the connection wasn’t in autocommit mode but Django pretended it was.
Fixed a regression in multiple-table inheritance exclude() queries.
Added missing items to django.utils.timezone.__all__.
Fixed a field misalignment issue with select_related() and model inheritance.
Fixed join promotion for negated AND conditions.
Oracle database introspection now works with boolean and float fields.
Fixed an issue where lazy objects weren’t actually marked as safe when passed through mark_safe() and could end up being double-escaped
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
Bug fixes
Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3.
Fixed a regression that prevented a ForeignKey with a hidden reverse manager (related_name ending with ‘+’) from being used as a lookup for prefetch_related.
Fixed Queryset.datetimes raising AttributeError in some situations.
Fixed ModelBackend raising UnboundLocalError if get_user_model() raised an error.
Fixed a regression that prevented editable GenericRelation subclasses from working in ModelForms.
Added missing to_python method for ModelMultipleChoiceField which is required in Django 1.6 to properly detect changes from initial values.
Fixed django.contrib.humanize translations where the unicode sequence for the non-breaking space was returned verbatim.
Fixed loaddata error when fixture file name contained any dots not related to file extensions or when fixture path was relative but located in a subdirectory.
Fixed display of inline instances in formsets when parent has 0 for primary key.
Fixed a regression where custom querysets for foreign keys were overwritten if ModelAdmin had ordering set.
Removed mention of a feature in the --locale/-l option of the makemessages and compilemessages commands that never worked as promised: Support of multiple locale names separated by commas. It’s still possible to specify multiple locales in one run by using the option multiple times.
Fixed a regression that unnecessarily triggered settings configuration when importing get_wsgi_application.
Fixed test client logout() method when using the cookie-based session backend.
Fixed a crash when a GeometryField uses a non-geometric widget.
Fixed password hash upgrade when changing the iteration count.
Fixed a bug in the debug view when the URLconf only contains one element.
Re-added missing search result count and reset link in changelist admin view.
The current language is no longer saved to the session by LocaleMiddleware on every response, but rather only after a logout.
Fixed a crash when executing runserver on non-English systems and when the formatted date in its output contained non-ASCII characters.
Fixed a crash in the debug view after an exception occurred on Python ≥ 3.3.
Fixed a crash in ImageField on some platforms (Homebrew and RHEL6 reported).
Fixed a regression when using generic relations in ModelAdmin.list_filter.
Simplified default project and app templates
Improved transaction management
Persistent database connections
Discovery of tests in any test module
Time zone aware aggregation
Support for savepoints in SQLite
BinaryField model field
GeoDjango form widgets
check management command added for verifying compatibility
Model.save() algorithm changed
Minor features
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.
Readdressed denial-of-service via password hashers
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
Properly rotate CSRF token on login
This behaviour introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.
Bugfixes
Fixed a data corruption bug with datetime_safe.datetime.combine.
Fixed a Python 3 incompatability in django.utils.text.unescape_entities().
Fixed a couple data corruption issues with QuerySet edge cases under Oracle and MySQL.
Fixed crashes when using combinations of annotate(), select_related(), and only()
These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.
These releases address a directory-traversal vulnerability in one of Django's built-in template tags. While this issue requires some fairly specific factors to be exploitable, we encourage all users of Django to upgrade promptly.
These releases address two cross-site scripting (XSS) vulnerabilities: one in a widget used by Django's admin interface, and one in a utility function used to validate redirects often used after login or logout.
While these issues are of limited impact and may not effect all Django users, we encourage all users to upgrade as soon as possible.
The biggest fix is for a memory leak introduced in Django 1.5. Under certain circumstances, repeated iteration over querysets could leak memory - sometimes quite a bit of it. If you'd like more information, the details are in our ticket tracker (and in a related issue in Python itself).
If you've noticed memory problems under Django 1.5, upgrading to 1.5.1 should fix those issues.
Django 1.5.1 also includes a couple smaller fixes:
* Module-level warnings emitted during tests are no longer silently hidden.
* Prevented filtering on password hashes in the user admin.
Django 1.5 introduces support for a configurable User model. The basic Django User model is still around, of course, but now there's first-class support for specifying your own model and having Django's auth system make use of it.
Django 1.5 is the first Django release with support for Python 3 (specifically, Python 3.2 and newer). Python 3 support is still considered experimental -- largely because it hasn't received as much real-world testing as we'd like -- but a Python 3 porting guide is available if you'd like to give it a try, and we will be considering Python 3 compatibility bugs to be blockers for future releases.
Of course, if you're still comfortable with Python 2, Django continues to offer support for that just as we always have -- though note that the minimum version for Django 1.5 is Python 2.6.5, and Python 2.7.3 or newer is strongly recommended.
Django's documentation has also gotten some pretty significant work; the main documentation page has had a bit of a facelift to make things easier to find, the existing tutorial got some refurbishing, and several new tutorials -- including some more advanced topics, like writing an app you can reuse in multiple projects -- have been added. And the documentation for class-based views has been significantly expanded, which should make this feature a lot easier to understand and take advantage of.
Security-fix release. Here's a brief summary of each issue and its resolution:
Issue: Host header poisoning: an attacker could cause Django to generate and display URLs that link to arbitrary domains. This could be used as part of a phishing attack. These releases fix this problem by introducing a new setting, ALLOWED_HOSTS, which specifies a whitelist of domains your site is known to respond to.
Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to allow all hosts. This means that to actually fix the security vulnerability you should define this setting yourself immediately after upgrading.
Issue: Formset denial-of-service: an attacker can abuse Django's tracking of the number of forms in a formset to cause a denial-of-service attack. This has been fixed by adding a default maximum number of forms of 1,000. You can still manually specify a bigger max_num, if you wish, but 1,000 should be enough for anyone.
Issue: XML attacks: Django's serialization framework was vulnerable to attacks via XML entity expansion and external references; this is now fixed. However, if you're parsing arbitrary XML in other parts of your application, we recommend you look into the defusedxml Python packages which remedy this anywhere you parse XML, not just via Django's serialization framework.
Issue: Data leakage via admin history log: Django's admin interface could expose supposedly-hidden information via its history log. This has been fixed.
* Support for time zones
* Support for in-browser testing frameworks
* Updated default project layout and manage.py
* Custom project and app templates
* Improved WSGI support
* Improved password hashing
* HTML5 doctype
* List filters in admin interface
* Multiple sort in admin interface
* New ModelAdmin methods
More...
Django 1.3’s focus has mostly been on resolving smaller, long-standing feature
requests, but that hasn’t prevented a few fairly significant new features from
landing, including:
* A framework for writing class-based views.
* Built-in support for using Python’s logging facilities.
* Contrib support for easy handling of static files.
* Django’s testing framework now supports (and ships with a copy of) the
unittest2 library.
- Fix a bug in the admin interface that could leak informations to
users with staff privileges bypassing lookup arguments in the query
string.
- Fix a bug for running the test suite in a multi-db setup
- Deprecated django.contrib.gis.tests.run_gis_tests()
- Properly deal with non-ASCII responses in the CSRF code
- Restore compatibility with certain forms like the user-editing form in
admin
Reduce maintainance overhead in pkgsrc by providing PLIST print magic.
As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.
The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.
The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.
This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.
