Prevented the base geometry object of a prepared geometry to be garbage collected, which could lead to crash Django.
Fixed a crash when executing the changepassword command when the user object representation contained non-ASCII characters.
The collectstatic command will raise an error rather than default to using the current working directory if STATIC_ROOT is not set. Combined with the --clear option, the previous behavior could wipe anything below the current working directory.
Fixed mail encoding on Python 3.3.3+.
Fixed an issue where when settings.DATABASES['default']['AUTOCOMMIT'] = False, the connection wasn’t in autocommit mode but Django pretended it was.
Fixed a regression in multiple-table inheritance exclude() queries.
Added missing items to django.utils.timezone.__all__.
Fixed a field misalignment issue with select_related() and model inheritance.
Fixed join promotion for negated AND conditions.
Oracle database introspection now works with boolean and float fields.
Fixed an issue where lazy objects weren’t actually marked as safe when passed through mark_safe() and could end up being double-escaped
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
Bug fixes
Fixed BCryptSHA256PasswordHasher with py-bcrypt and Python 3.
Fixed a regression that prevented a ForeignKey with a hidden reverse manager (related_name ending with ‘+’) from being used as a lookup for prefetch_related.
Fixed Queryset.datetimes raising AttributeError in some situations.
Fixed ModelBackend raising UnboundLocalError if get_user_model() raised an error.
Fixed a regression that prevented editable GenericRelation subclasses from working in ModelForms.
Added missing to_python method for ModelMultipleChoiceField which is required in Django 1.6 to properly detect changes from initial values.
Fixed django.contrib.humanize translations where the unicode sequence for the non-breaking space was returned verbatim.
Fixed loaddata error when fixture file name contained any dots not related to file extensions or when fixture path was relative but located in a subdirectory.
Fixed display of inline instances in formsets when parent has 0 for primary key.
Fixed a regression where custom querysets for foreign keys were overwritten if ModelAdmin had ordering set.
Removed mention of a feature in the --locale/-l option of the makemessages and compilemessages commands that never worked as promised: Support of multiple locale names separated by commas. It’s still possible to specify multiple locales in one run by using the option multiple times.
Fixed a regression that unnecessarily triggered settings configuration when importing get_wsgi_application.
Fixed test client logout() method when using the cookie-based session backend.
Fixed a crash when a GeometryField uses a non-geometric widget.
Fixed password hash upgrade when changing the iteration count.
Fixed a bug in the debug view when the URLconf only contains one element.
Re-added missing search result count and reset link in changelist admin view.
The current language is no longer saved to the session by LocaleMiddleware on every response, but rather only after a logout.
Fixed a crash when executing runserver on non-English systems and when the formatted date in its output contained non-ASCII characters.
Fixed a crash in the debug view after an exception occurred on Python ≥ 3.3.
Fixed a crash in ImageField on some platforms (Homebrew and RHEL6 reported).
Fixed a regression when using generic relations in ModelAdmin.list_filter.
Simplified default project and app templates
Improved transaction management
Persistent database connections
Discovery of tests in any test module
Time zone aware aggregation
Support for savepoints in SQLite
BinaryField model field
GeoDjango form widgets
check management command added for verifying compatibility
Model.save() algorithm changed
Minor features
Django 1.5.5 fixes a couple security-related bugs and several other bugs in the 1.5 series.
Readdressed denial-of-service via password hashers
Django 1.5.4 imposes a 4096-byte limit on passwords in order to mitigate a denial-of-service attack through submission of bogus but extremely large passwords. In Django 1.5.5, we’ve reverted this change and instead improved the speed of our PBKDF2 algorithm by not rehashing the key on every iteration.
Properly rotate CSRF token on login
This behaviour introduced as a security hardening measure in Django 1.5.2 did not work properly and is now fixed.
Bugfixes
Fixed a data corruption bug with datetime_safe.datetime.combine.
Fixed a Python 3 incompatability in django.utils.text.unescape_entities().
Fixed a couple data corruption issues with QuerySet edge cases under Oracle and MySQL.
Fixed crashes when using combinations of annotate(), select_related(), and only()
These releases address a denial-of-service attack against Django's authentication framework. All users of Django are encouraged to upgrade immediately.
These releases address a directory-traversal vulnerability in one of Django's built-in template tags. While this issue requires some fairly specific factors to be exploitable, we encourage all users of Django to upgrade promptly.
These releases address two cross-site scripting (XSS) vulnerabilities: one in a widget used by Django's admin interface, and one in a utility function used to validate redirects often used after login or logout.
While these issues are of limited impact and may not effect all Django users, we encourage all users to upgrade as soon as possible.
The biggest fix is for a memory leak introduced in Django 1.5. Under certain circumstances, repeated iteration over querysets could leak memory - sometimes quite a bit of it. If you'd like more information, the details are in our ticket tracker (and in a related issue in Python itself).
If you've noticed memory problems under Django 1.5, upgrading to 1.5.1 should fix those issues.
Django 1.5.1 also includes a couple smaller fixes:
* Module-level warnings emitted during tests are no longer silently hidden.
* Prevented filtering on password hashes in the user admin.
Django 1.5 introduces support for a configurable User model. The basic Django User model is still around, of course, but now there's first-class support for specifying your own model and having Django's auth system make use of it.
Django 1.5 is the first Django release with support for Python 3 (specifically, Python 3.2 and newer). Python 3 support is still considered experimental -- largely because it hasn't received as much real-world testing as we'd like -- but a Python 3 porting guide is available if you'd like to give it a try, and we will be considering Python 3 compatibility bugs to be blockers for future releases.
Of course, if you're still comfortable with Python 2, Django continues to offer support for that just as we always have -- though note that the minimum version for Django 1.5 is Python 2.6.5, and Python 2.7.3 or newer is strongly recommended.
Django's documentation has also gotten some pretty significant work; the main documentation page has had a bit of a facelift to make things easier to find, the existing tutorial got some refurbishing, and several new tutorials -- including some more advanced topics, like writing an app you can reuse in multiple projects -- have been added. And the documentation for class-based views has been significantly expanded, which should make this feature a lot easier to understand and take advantage of.
Security-fix release. Here's a brief summary of each issue and its resolution:
Issue: Host header poisoning: an attacker could cause Django to generate and display URLs that link to arbitrary domains. This could be used as part of a phishing attack. These releases fix this problem by introducing a new setting, ALLOWED_HOSTS, which specifies a whitelist of domains your site is known to respond to.
Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to allow all hosts. This means that to actually fix the security vulnerability you should define this setting yourself immediately after upgrading.
Issue: Formset denial-of-service: an attacker can abuse Django's tracking of the number of forms in a formset to cause a denial-of-service attack. This has been fixed by adding a default maximum number of forms of 1,000. You can still manually specify a bigger max_num, if you wish, but 1,000 should be enough for anyone.
Issue: XML attacks: Django's serialization framework was vulnerable to attacks via XML entity expansion and external references; this is now fixed. However, if you're parsing arbitrary XML in other parts of your application, we recommend you look into the defusedxml Python packages which remedy this anywhere you parse XML, not just via Django's serialization framework.
Issue: Data leakage via admin history log: Django's admin interface could expose supposedly-hidden information via its history log. This has been fixed.
* Support for time zones
* Support for in-browser testing frameworks
* Updated default project layout and manage.py
* Custom project and app templates
* Improved WSGI support
* Improved password hashing
* HTML5 doctype
* List filters in admin interface
* Multiple sort in admin interface
* New ModelAdmin methods
More...
Django 1.3’s focus has mostly been on resolving smaller, long-standing feature
requests, but that hasn’t prevented a few fairly significant new features from
landing, including:
* A framework for writing class-based views.
* Built-in support for using Python’s logging facilities.
* Contrib support for easy handling of static files.
* Django’s testing framework now supports (and ships with a copy of) the
unittest2 library.
- Fix a bug in the admin interface that could leak informations to
users with staff privileges bypassing lookup arguments in the query
string.
- Fix a bug for running the test suite in a multi-db setup
- Deprecated django.contrib.gis.tests.run_gis_tests()
- Properly deal with non-ASCII responses in the CSRF code
- Restore compatibility with certain forms like the user-editing form in
admin
Reduce maintainance overhead in pkgsrc by providing PLIST print magic.
As of the 1.2 release, the core Django framework includes a system, enabled by
default, for detecting and preventing cross-site request forgery (CSRF) attacks
against Django-powered applications. Previous Django releases provided
a different, optionally-enabled system for the same purpose.
The Django 1.2 CSRF protection system involves the generation of a random
token, inserted as a hidden field in outgoing forms. The same value is also
set in a cookie, and the cookie value and form value are compared on submission.
The provided template tag for inserting the CSRF token into forms --
{% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is.
Thus, an attacker who is able to tamper with the value of the CSRF cookie can
cause arbitrary content to be inserted, unescaped, into the outgoing HTML of
the form, enabling cross-site scripting (XSS) attacks.
This issue was first reported via a public ticket in Django's Trac instance;
while being triaged it was then independently reported, with broader
description, by Jeff Balogh of Mozilla.
- Support multiple database in one Django instance
- Model validation inspired by the Form validation
- Vastly improved protection against Cross-Site Request Forgery
- New user "message" framework, incl. support for anonymous users
- Hooks for object-level permissions and permissions for anonymous users
- Customization of e-mail sending via the new e-mail backend
- Smarter if template tag
- Support for aggregates and query expression in the ORM
- Suport for unamanged models and proxy models
- Support for deffered fields
- Mark individual fields as editable in the admin; support for custom
actions
- Better support for Last-Modified/ETag
- Improved GIS support
- {% for %} now has an {% empty %} to simplify handling empty lists
- Various smaller improvements
were moved or renamed.
This was for some from 2008 and 2009 and one from 2001.
Also I noticed that a CHANGES entry was wrong as said "Renamed"
when should have said "Moved" (lua-OSBF) because PKGBASE stayed the
same.
- assume that Python 2.4 and 2.5 are compatible and allow checking for
fallout.
- remove PYTHON_VERSIONS_COMPATIBLE that are obsoleted by the 2.3+
default. Modify the others to deal with the removals.
