40 lines
1.6 KiB
Plaintext
40 lines
1.6 KiB
Plaintext
============================
|
|
Django 1.11.10 release notes
|
|
============================
|
|
|
|
*February 1, 2018*
|
|
|
|
Django 1.11.10 fixes a security issue and several bugs in 1.11.9.
|
|
|
|
CVE-2018-6188: Information leakage in ``AuthenticationForm``
|
|
============================================================
|
|
|
|
A regression in Django 1.11.8 made
|
|
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
|
|
``confirm_login_allowed()`` method even if an incorrect password is entered.
|
|
This can leak information about a user, depending on what messages
|
|
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
|
|
overridden, an attacker enter an arbitrary username and see if that user has
|
|
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
|
|
more sensitive details could be leaked.
|
|
|
|
This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
|
|
raise the "This account is inactive." error if the authentication backend
|
|
rejects inactive users (the default authentication backend, ``ModelBackend``,
|
|
has done that since Django 1.10). This issue will be revisited for Django 2.1
|
|
as a fix to address the caveat will likely be too invasive for inclusion in
|
|
older versions.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed incorrect foreign key nullification if a model has two foreign keys to
|
|
the same model and a target model is deleted (:ticket:`29016`).
|
|
|
|
* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an
|
|
authentication backend doesn't accept ``request`` and a later one does
|
|
(:ticket:`29071`).
|
|
|
|
* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields``
|
|
(:ticket:`29094`).
|