p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed #15253 -- Added 1.1.3 release notes, and added sections to the 1.2.4 and 1.3 release notes about the December security announcement. 

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15485 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee 2011-02-10 11:55:24 +00:00
parent f913fab6be
commit 41dc3fc2e8
6 changed files with 121 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
docs/releases/1.1.3.txt Normal file
View File

@ -0,0 +1,50 @@
==========================
Django 1.1.3 release notes
==========================
Welcome to Django 1.1.3!
This is the third "bugfix" release in the Django 1.1 series,
improving the stability and performance of the Django 1.1 codebase.
With one exception, Django 1.1.3 maintains backwards compatibility
with Django 1.1.2. It also contains a number of fixes and other
improvements. Django 1.1.2 is a recommended upgrade for any
development or deployment currently using or targeting Django 1.1.
For full details on the new features, backwards incompatibilities, and
deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
Backwards incompatible changes
==============================
Restricted filters in admin interface
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Django administrative interface, django.contrib.admin, supports
filtering of displayed lists of objects by fields on the corresponding
models, including across database-level relationships. This is
implemented by passing lookup arguments in the querystring portion of
the URL, and options on the ModelAdmin class allow developers to
specify particular fields or relationships which will generate
automatic links for filtering.
One historically-undocumented and -unofficially-supported feature has
been the ability for a user with sufficient knowledge of a model's
structure and the format of these lookup arguments to invent useful
new filters on the fly by manipulating the querystring.
However, it has been demonstrated that this can be abused to gain
access to information outside of an admin user's permissions; for
example, an attacker with access to the admin and sufficient knowledge
of model structure and relations could construct query strings which --
with repeated use of regular-expression lookups supported by the
Django database API -- expose sensitive information such as users'
password hashes.
To remedy this, django.contrib.admin will now validate that
querystring lookup arguments either specify only fields on the model
being viewed, or cross relations which have been explicitly
whitelisted by the application developer using the pre-existing
mechanism mentioned above. This is backwards-incompatible for any
users relying on the prior ability to insert arbitrary lookups.

6
docs/releases/1.1.4.txt
View File

@ -8,15 +8,15 @@ This is the fourth "bugfix" release in the Django 1.1 series,
improving the stability and performance of the Django 1.1 codebase. improving the stability and performance of the Django 1.1 codebase.
With one exception, Django 1.1.4 maintains backwards compatibility With one exception, Django 1.1.4 maintains backwards compatibility
with Django 1.1.3, but contain a number of fixes and other with Django 1.1.3. It also contains a number of fixes and other
improvements. Django 1.1.4 is a recommended upgrade for any improvements. Django 1.1.4 is a recommended upgrade for any
development or deployment currently using or targeting Django 1.1. development or deployment currently using or targeting Django 1.1.
For full details on the new features, backwards incompatibilities, and For full details on the new features, backwards incompatibilities, and
deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`. deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
Backwards-incompatible changes in 1.1.4 Backwards incompatible changes
======================================= ==============================
CSRF exception for AJAX requests CSRF exception for AJAX requests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

38
docs/releases/1.2.4.txt
View File

@ -7,14 +7,48 @@ Welcome to Django 1.2.4!
This is the fourth "bugfix" release in the Django 1.2 series, This is the fourth "bugfix" release in the Django 1.2 series,
improving the stability and performance of the Django 1.2 codebase. improving the stability and performance of the Django 1.2 codebase.
Django 1.2.4 maintains backwards compatibility with Django With one exception, Django 1.2.4 maintains backwards compatibility
1.2.3, but contain a number of fixes and other with Django 1.2.3. It also contains a number of fixes and other
improvements. Django 1.2.4 is a recommended upgrade for any improvements. Django 1.2.4 is a recommended upgrade for any
development or deployment currently using or targeting Django 1.2. development or deployment currently using or targeting Django 1.2.
For full details on the new features, backwards incompatibilities, and For full details on the new features, backwards incompatibilities, and
deprecated features in the 1.2 branch, see the :doc:`/releases/1.2`. deprecated features in the 1.2 branch, see the :doc:`/releases/1.2`.
Backwards incompatible changes
==============================
Restricted filters in admin interface
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Django administrative interface, django.contrib.admin, supports
filtering of displayed lists of objects by fields on the corresponding
models, including across database-level relationships. This is
implemented by passing lookup arguments in the querystring portion of
the URL, and options on the ModelAdmin class allow developers to
specify particular fields or relationships which will generate
automatic links for filtering.
One historically-undocumented and -unofficially-supported feature has
been the ability for a user with sufficient knowledge of a model's
structure and the format of these lookup arguments to invent useful
new filters on the fly by manipulating the querystring.
However, it has been demonstrated that this can be abused to gain
access to information outside of an admin user's permissions; for
example, an attacker with access to the admin and sufficient knowledge
of model structure and relations could construct query strings which --
with repeated use of regular-expression lookups supported by the
Django database API -- expose sensitive information such as users'
password hashes.
To remedy this, django.contrib.admin will now validate that
querystring lookup arguments either specify only fields on the model
being viewed, or cross relations which have been explicitly
whitelisted by the application developer using the pre-existing
mechanism mentioned above. This is backwards-incompatible for any
users relying on the prior ability to insert arbitrary lookups.
One new feature One new feature
=============== ===============

2
docs/releases/1.2.5.txt
View File

@ -8,7 +8,7 @@ This is the fifth "bugfix" release in the Django 1.2 series,
improving the stability and performance of the Django 1.2 codebase. improving the stability and performance of the Django 1.2 codebase.
With four exceptions, Django 1.2.5 maintains backwards compatibility With four exceptions, Django 1.2.5 maintains backwards compatibility
with Django 1.2.4, but contain a number of fixes and other with Django 1.2.4. It also contains a number of fixes and other
improvements. Django 1.2.5 is a recommended upgrade for any improvements. Django 1.2.5 is a recommended upgrade for any
development or deployment currently using or targeting Django 1.2. development or deployment currently using or targeting Django 1.2.

30
docs/releases/1.3.txt
View File

@ -334,6 +334,36 @@ send back the CSRF token in the custom X-CSRFTOKEN header::
}); });
Restricted filters in admin interface
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Django administrative interface, django.contrib.admin, supports
filtering of displayed lists of objects by fields on the corresponding
models, including across database-level relationships. This is
implemented by passing lookup arguments in the querystring portion of
the URL, and options on the ModelAdmin class allow developers to
specify particular fields or relationships which will generate
automatic links for filtering.
One historically-undocumented and -unofficially-supported feature has
been the ability for a user with sufficient knowledge of a model's
structure and the format of these lookup arguments to invent useful
new filters on the fly by manipulating the querystring.
However, it has been demonstrated that this can be abused to gain
access to information outside of an admin user's permissions; for
example, an attacker with access to the admin and sufficient knowledge
of model structure and relations could construct query strings which --
with repeated use of regular-expression lookups supported by the
Django database API -- expose sensitive information such as users'
password hashes.
To remedy this, django.contrib.admin will now validate that
querystring lookup arguments either specify only fields on the model
being viewed, or cross relations which have been explicitly
whitelisted by the application developer using the pre-existing
mechanism mentioned above. This is backwards-incompatible for any
users relying on the prior ability to insert arbitrary lookups.
FileField no longer deletes files FileField no longer deletes files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1
docs/releases/index.txt
View File

@ -37,6 +37,7 @@ Final releases
:maxdepth: 1 :maxdepth: 1
1.1.4 1.1.4
1.1.3
1.1.2 1.1.2
1.1 1.1