Fixed #15253 -- Added 1.1.3 release notes, and added sections to the 1.2.4 and 1.3 release notes about the December security announcement.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15485 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Russell Keith-Magee
parent
f913fab6be
commit
41dc3fc2e8
|
|
@ -0,0 +1,50 @@
|
|||
==========================
|
||||
Django 1.1.3 release notes
|
||||
==========================
|
||||
|
||||
Welcome to Django 1.1.3!
|
||||
|
||||
This is the third "bugfix" release in the Django 1.1 series,
|
||||
improving the stability and performance of the Django 1.1 codebase.
|
||||
|
||||
With one exception, Django 1.1.3 maintains backwards compatibility
|
||||
with Django 1.1.2. It also contains a number of fixes and other
|
||||
improvements. Django 1.1.2 is a recommended upgrade for any
|
||||
development or deployment currently using or targeting Django 1.1.
|
||||
|
||||
For full details on the new features, backwards incompatibilities, and
|
||||
deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
|
||||
|
||||
Backwards incompatible changes
|
||||
==============================
|
||||
|
||||
Restricted filters in admin interface
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Django administrative interface, django.contrib.admin, supports
|
||||
filtering of displayed lists of objects by fields on the corresponding
|
||||
models, including across database-level relationships. This is
|
||||
implemented by passing lookup arguments in the querystring portion of
|
||||
the URL, and options on the ModelAdmin class allow developers to
|
||||
specify particular fields or relationships which will generate
|
||||
automatic links for filtering.
|
||||
|
||||
One historically-undocumented and -unofficially-supported feature has
|
||||
been the ability for a user with sufficient knowledge of a model's
|
||||
structure and the format of these lookup arguments to invent useful
|
||||
new filters on the fly by manipulating the querystring.
|
||||
|
||||
However, it has been demonstrated that this can be abused to gain
|
||||
access to information outside of an admin user's permissions; for
|
||||
example, an attacker with access to the admin and sufficient knowledge
|
||||
of model structure and relations could construct query strings which --
|
||||
with repeated use of regular-expression lookups supported by the
|
||||
Django database API -- expose sensitive information such as users'
|
||||
password hashes.
|
||||
|
||||
To remedy this, django.contrib.admin will now validate that
|
||||
querystring lookup arguments either specify only fields on the model
|
||||
being viewed, or cross relations which have been explicitly
|
||||
whitelisted by the application developer using the pre-existing
|
||||
mechanism mentioned above. This is backwards-incompatible for any
|
||||
users relying on the prior ability to insert arbitrary lookups.
|
||||
|
|
@ -8,15 +8,15 @@ This is the fourth "bugfix" release in the Django 1.1 series,
|
|||
improving the stability and performance of the Django 1.1 codebase.
|
||||
|
||||
With one exception, Django 1.1.4 maintains backwards compatibility
|
||||
with Django 1.1.3, but contain a number of fixes and other
|
||||
with Django 1.1.3. It also contains a number of fixes and other
|
||||
improvements. Django 1.1.4 is a recommended upgrade for any
|
||||
development or deployment currently using or targeting Django 1.1.
|
||||
|
||||
For full details on the new features, backwards incompatibilities, and
|
||||
deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
|
||||
|
||||
Backwards-incompatible changes in 1.1.4
|
||||
=======================================
|
||||
Backwards incompatible changes
|
||||
==============================
|
||||
|
||||
CSRF exception for AJAX requests
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
|
|
|||
|
|
@ -7,14 +7,48 @@ Welcome to Django 1.2.4!
|
|||
This is the fourth "bugfix" release in the Django 1.2 series,
|
||||
improving the stability and performance of the Django 1.2 codebase.
|
||||
|
||||
Django 1.2.4 maintains backwards compatibility with Django
|
||||
1.2.3, but contain a number of fixes and other
|
||||
With one exception, Django 1.2.4 maintains backwards compatibility
|
||||
with Django 1.2.3. It also contains a number of fixes and other
|
||||
improvements. Django 1.2.4 is a recommended upgrade for any
|
||||
development or deployment currently using or targeting Django 1.2.
|
||||
|
||||
For full details on the new features, backwards incompatibilities, and
|
||||
deprecated features in the 1.2 branch, see the :doc:`/releases/1.2`.
|
||||
|
||||
Backwards incompatible changes
|
||||
==============================
|
||||
|
||||
Restricted filters in admin interface
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Django administrative interface, django.contrib.admin, supports
|
||||
filtering of displayed lists of objects by fields on the corresponding
|
||||
models, including across database-level relationships. This is
|
||||
implemented by passing lookup arguments in the querystring portion of
|
||||
the URL, and options on the ModelAdmin class allow developers to
|
||||
specify particular fields or relationships which will generate
|
||||
automatic links for filtering.
|
||||
|
||||
One historically-undocumented and -unofficially-supported feature has
|
||||
been the ability for a user with sufficient knowledge of a model's
|
||||
structure and the format of these lookup arguments to invent useful
|
||||
new filters on the fly by manipulating the querystring.
|
||||
|
||||
However, it has been demonstrated that this can be abused to gain
|
||||
access to information outside of an admin user's permissions; for
|
||||
example, an attacker with access to the admin and sufficient knowledge
|
||||
of model structure and relations could construct query strings which --
|
||||
with repeated use of regular-expression lookups supported by the
|
||||
Django database API -- expose sensitive information such as users'
|
||||
password hashes.
|
||||
|
||||
To remedy this, django.contrib.admin will now validate that
|
||||
querystring lookup arguments either specify only fields on the model
|
||||
being viewed, or cross relations which have been explicitly
|
||||
whitelisted by the application developer using the pre-existing
|
||||
mechanism mentioned above. This is backwards-incompatible for any
|
||||
users relying on the prior ability to insert arbitrary lookups.
|
||||
|
||||
One new feature
|
||||
===============
|
||||
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ This is the fifth "bugfix" release in the Django 1.2 series,
|
|||
improving the stability and performance of the Django 1.2 codebase.
|
||||
|
||||
With four exceptions, Django 1.2.5 maintains backwards compatibility
|
||||
with Django 1.2.4, but contain a number of fixes and other
|
||||
with Django 1.2.4. It also contains a number of fixes and other
|
||||
improvements. Django 1.2.5 is a recommended upgrade for any
|
||||
development or deployment currently using or targeting Django 1.2.
|
||||
|
||||
|
|
|
|||
|
|
@ -334,6 +334,36 @@ send back the CSRF token in the custom X-CSRFTOKEN header::
|
|||
});
|
||||
|
||||
|
||||
Restricted filters in admin interface
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Django administrative interface, django.contrib.admin, supports
|
||||
filtering of displayed lists of objects by fields on the corresponding
|
||||
models, including across database-level relationships. This is
|
||||
implemented by passing lookup arguments in the querystring portion of
|
||||
the URL, and options on the ModelAdmin class allow developers to
|
||||
specify particular fields or relationships which will generate
|
||||
automatic links for filtering.
|
||||
|
||||
One historically-undocumented and -unofficially-supported feature has
|
||||
been the ability for a user with sufficient knowledge of a model's
|
||||
structure and the format of these lookup arguments to invent useful
|
||||
new filters on the fly by manipulating the querystring.
|
||||
|
||||
However, it has been demonstrated that this can be abused to gain
|
||||
access to information outside of an admin user's permissions; for
|
||||
example, an attacker with access to the admin and sufficient knowledge
|
||||
of model structure and relations could construct query strings which --
|
||||
with repeated use of regular-expression lookups supported by the
|
||||
Django database API -- expose sensitive information such as users'
|
||||
password hashes.
|
||||
|
||||
To remedy this, django.contrib.admin will now validate that
|
||||
querystring lookup arguments either specify only fields on the model
|
||||
being viewed, or cross relations which have been explicitly
|
||||
whitelisted by the application developer using the pre-existing
|
||||
mechanism mentioned above. This is backwards-incompatible for any
|
||||
users relying on the prior ability to insert arbitrary lookups.
|
||||
|
||||
FileField no longer deletes files
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
|
|
|||
|
|
@ -37,6 +37,7 @@ Final releases
|
|||
:maxdepth: 1
|
||||
|
||||
1.1.4
|
||||
1.1.3
|
||||
1.1.2
|
||||
1.1
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue