Added 1.4.6/1.5.2 release notes.
This commit is contained in:
parent
bebbb611a8
commit
5fdd6af1eb
|
@ -0,0 +1,31 @@
|
||||||
|
==========================
|
||||||
|
Django 1.4.6 release notes
|
||||||
|
==========================
|
||||||
|
|
||||||
|
*August 13, 2013*
|
||||||
|
|
||||||
|
Django 1.4.6 fixes one security issue present in previous Django releases in
|
||||||
|
the 1.4 series, as well as one other bug.
|
||||||
|
|
||||||
|
This is the sixth bugfix/security release in the Django 1.4 series.
|
||||||
|
|
||||||
|
Mitigated possible XSS attack via user-supplied redirect URLs
|
||||||
|
-------------------------------------------------------------
|
||||||
|
|
||||||
|
Django relies on user input in some cases (e.g.
|
||||||
|
:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and
|
||||||
|
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
|
||||||
|
The security checks for these redirects (namely
|
||||||
|
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
|
||||||
|
and as such allowed ``javascript:...`` URLs to be entered. If a developer
|
||||||
|
relied on ``is_safe_url()`` to provide safe redirect targets and put such a
|
||||||
|
URL into a link, he could suffer from a XSS attack. This bug doesn't affect
|
||||||
|
Django currently, since we only put this URL into the ``Location`` response
|
||||||
|
header and browsers seem to ignore JavaScript there.
|
||||||
|
|
||||||
|
Bugfixes
|
||||||
|
========
|
||||||
|
|
||||||
|
* Fixed an obscure bug with the :func:`~django.test.utils.override_settings`
|
||||||
|
decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
|
||||||
|
'_original_allowed_hosts'`` exception, it's probably fixed (#20636).
|
|
@ -0,0 +1,62 @@
|
||||||
|
==========================
|
||||||
|
Django 1.5.2 release notes
|
||||||
|
==========================
|
||||||
|
|
||||||
|
*August 13, 2013*
|
||||||
|
|
||||||
|
This is Django 1.5.2, a bugfix and security release for Django 1.5.
|
||||||
|
|
||||||
|
Mitigated possible XSS attack via user-supplied redirect URLs
|
||||||
|
-------------------------------------------------------------
|
||||||
|
|
||||||
|
Django relies on user input in some cases (e.g.
|
||||||
|
:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and
|
||||||
|
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
|
||||||
|
The security checks for these redirects (namely
|
||||||
|
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
|
||||||
|
and as such allowed ``javascript:...`` URLs to be entered. If a developer
|
||||||
|
relied on ``is_safe_url()`` to provide safe redirect targets and put such a
|
||||||
|
URL into a link, he could suffer from a XSS attack. This bug doesn't affect
|
||||||
|
Django currently, since we only put this URL into the ``Location`` response
|
||||||
|
header and browsers seem to ignore JavaScript there.
|
||||||
|
|
||||||
|
XSS vulnerability in :mod:`django.contrib.admin`
|
||||||
|
------------------------------------------------
|
||||||
|
|
||||||
|
If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the
|
||||||
|
current value of the field and a link to the target on the admin change page.
|
||||||
|
The display routine of this widget was flawed and allowed for XSS.
|
||||||
|
|
||||||
|
Bugfixes
|
||||||
|
========
|
||||||
|
|
||||||
|
* Fixed a crash with :meth:`~django.db.models.query.QuerySet.prefetch_related`
|
||||||
|
(#19607) as well as some ``pickle`` regressions with ``prefetch_related``
|
||||||
|
(#20157 and #20257).
|
||||||
|
* Fixed a regression in :mod:`django.contrib.gis` in the Google Map output on
|
||||||
|
Python 3 (#20773).
|
||||||
|
* Made ``DjangoTestSuiteRunner.setup_databases`` properly handle aliases for
|
||||||
|
the default database (#19940) and prevented ``teardown_databases`` from
|
||||||
|
attempting to tear down aliases (#20681).
|
||||||
|
* Fixed the ``django.core.cache.backends.memcached.MemcachedCache`` backend's
|
||||||
|
``get_many()`` method on Python 3 (#20722).
|
||||||
|
* Fixed :mod:`django.contrib.humanize` translation syntax errors. Affected
|
||||||
|
languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).
|
||||||
|
* Added support for wheel packages (#19252).
|
||||||
|
* The CSRF token now rotates when a user logs in.
|
||||||
|
* Some Python 3 compatibility fixes including #20212 and #20025.
|
||||||
|
* Fixed some rare cases where :meth:`~django.db.models.query.QuerySet.get`
|
||||||
|
exceptions recursed infinitely (#20278).
|
||||||
|
* :djadmin:`makemessages` no longer crashes with ``UnicodeDecodeError``
|
||||||
|
(#20354).
|
||||||
|
* Fixed ``geojson`` detection with Spatialite.
|
||||||
|
* :meth:`~django.test.SimpleTestCase.assertContains` once again works with
|
||||||
|
binary content (#20237).
|
||||||
|
* Fixed :class:`~django.db.models.ManyToManyField` if it has a unicode ``name``
|
||||||
|
parameter (#20207).
|
||||||
|
* Ensured that the WSGI request's path is correctly based on the
|
||||||
|
``SCRIPT_NAME`` environment variable or the :setting:`FORCE_SCRIPT_NAME`
|
||||||
|
setting, regardless of whether or not either has a trailing slash (#20169).
|
||||||
|
* Fixed an obscure bug with the :func:`~django.test.utils.override_settings`
|
||||||
|
decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
|
||||||
|
'_original_allowed_hosts'`` exception, it's probably fixed (#20636).
|
|
@ -22,6 +22,7 @@ Final releases
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
1.5.2
|
||||||
1.5.1
|
1.5.1
|
||||||
1.5
|
1.5
|
||||||
|
|
||||||
|
@ -30,6 +31,7 @@ Final releases
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
1.4.6
|
||||||
1.4.5
|
1.4.5
|
||||||
1.4.4
|
1.4.4
|
||||||
1.4.3
|
1.4.3
|
||||||
|
|
Loading…
Reference in New Issue