2016-12-27 22:29:11 +08:00
|
|
|
===========================
|
|
|
|
Django 1.9.13 release notes
|
|
|
|
===========================
|
|
|
|
|
2017-03-22 23:47:45 +08:00
|
|
|
*April 4, 2017*
|
2016-12-27 22:29:11 +08:00
|
|
|
|
2017-03-22 23:47:45 +08:00
|
|
|
Django 1.9.13 fixes two security issues and a bug in 1.9.12. This is the final
|
|
|
|
release of the 1.9.x series.
|
2016-12-27 22:29:11 +08:00
|
|
|
|
2017-03-15 00:33:15 +08:00
|
|
|
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
|
|
|
|
=============================================================================
|
|
|
|
|
|
|
|
A maliciously crafted URL to a Django site using the
|
|
|
|
:func:`~django.views.static.serve` view could redirect to any other domain. The
|
|
|
|
view no longer does any redirects as they don't provide any known, useful
|
|
|
|
functionality.
|
|
|
|
|
|
|
|
Note, however, that this view has always carried a warning that it is not
|
|
|
|
hardened for production use and should be used only as a development aid.
|
|
|
|
|
2016-12-27 22:29:11 +08:00
|
|
|
Bugfixes
|
|
|
|
========
|
|
|
|
|
|
|
|
* Fixed a regression in the ``timesince`` and ``timeuntil`` filters that caused
|
2017-01-02 21:40:44 +08:00
|
|
|
incorrect results for dates in a leap year (:ticket:`27637`).
|