django1/docs/releases/1.10.7.txt

===========================
Django 1.10.7 release notes
===========================

*April 4, 2017*

Django 1.10.7 fixes two security issues and a bug in 1.10.6.

CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
=============================================================================

A maliciously crafted URL to a Django site using the
:func:`~django.views.static.serve` view could redirect to any other domain. The
view no longer does any redirects as they don't provide any known, useful
functionality.

Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid.

Bugfixes
========

* Made admin's ``RelatedFieldWidgetWrapper`` use the wrapped widget's
  ``value_omitted_from_data()`` method (:ticket:`27905`).

* Fixed model form ``default`` fallback for ``SelectMultiple``
  (:ticket:`27993`).
Added stub release notes for 1.10.7. 2017-03-08 02:05:35 +08:00			`===========================`
			`Django 1.10.7 release notes`
			`===========================`

Added stub release notes for security releases. 2017-03-22 23:47:45 +08:00			`April 4, 2017`
Added stub release notes for 1.10.7. 2017-03-08 02:05:35 +08:00
Added stub release notes for security releases. 2017-03-22 23:47:45 +08:00			`Django 1.10.7 fixes two security issues and a bug in 1.10.6.`
Added stub release notes for 1.10.7. 2017-03-08 02:05:35 +08:00
Fixed CVE-2017-7234 -- Fixed open redirect vulnerability in views.static.serve(). This is a security fix. 2017-03-15 00:33:15 +08:00			CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
			`=============================================================================`

			`A maliciously crafted URL to a Django site using the`
			:func:`~django.views.static.serve` view could redirect to any other domain. The
			`view no longer does any redirects as they don't provide any known, useful`
			`functionality.`

			`Note, however, that this view has always carried a warning that it is not`
			`hardened for production use and should be used only as a development aid.`

Added stub release notes for 1.10.7. 2017-03-08 02:05:35 +08:00			`Bugfixes`
			`========`

Fixed #27905 -- Added RelatedFieldWidgetWrapper.value_omitted_from_data(). 2017-03-08 02:56:29 +08:00			* Made admin's ``RelatedFieldWidgetWrapper`` use the wrapped widget's
			``value_omitted_from_data()`` method (:ticket:`27905`).
Fixed #27993 -- Fixed model form default fallback for SelectMultiple. 2017-03-31 22:10:08 +08:00
			* Fixed model form ``default`` fallback for ``SelectMultiple``
			(:ticket:`27993`).