As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.
The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.
The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.
This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.
- Support multiple database in one Django instance
- Model validation inspired by the Form validation
- Vastly improved protection against Cross-Site Request Forgery
- New user "message" framework, incl. support for anonymous users
- Hooks for object-level permissions and permissions for anonymous users
- Customization of e-mail sending via the new e-mail backend
- Smarter if template tag
- Support for aggregates and query expression in the ORM
- Suport for unamanged models and proxy models
- Support for deffered fields
- Mark individual fields as editable in the admin; support for custom
actions
- Better support for Last-Modified/ETag
- Improved GIS support
- {% for %} now has an {% empty %} to simplify handling empty lists
- Various smaller improvements
The main goal of the 0.96 release is to cleanup and stabilise the
features from 0.95.
Incompatible changes:
- constraint names changed in some cases, this can effect manage.py
reset on old databases
- some names in manage.py changed
- backslash escaping is done more consistently
- ENABLE_PSYCO is gone
Important changes:
- merge of newforms
- URLconf takes normal callables
- new test framework
- passwords for users can be entered as normal text in the admin
interface, no need to hash manually
In addition: dropped py-setuptools dependency.
code is shared with psycopg1.
Include a small patch to make keyword mistakes in query args much
more obvious (from django svn). Other users might be as stupid as
the maintainer. Bump revision.
* A patch for a small security vulnerability in the script Django's
internationalization system uses to compile translation files.
* A fix for a bug in Django's authentication middleware which could cause
apparent "caching" of a logged-in user.
* A patch which disables debugging mode in the flup FastCGI package
Django uses to launch its FastCGI server, which prevents tracebacks
from bubbling up during production use.
Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.
