2013-09-15 14:36:03 +08:00
|
|
|
|
==========================
|
2013-09-16 02:14:26 +08:00
|
|
|
|
Django 1.5.4 release notes
|
2013-09-15 14:36:03 +08:00
|
|
|
|
==========================
|
|
|
|
|
|
|
|
|
|
*September 14, 2013*
|
|
|
|
|
|
|
|
|
|
This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
|
2013-09-16 02:14:26 +08:00
|
|
|
|
two security issues and one bug.
|
2013-09-15 14:36:03 +08:00
|
|
|
|
|
|
|
|
|
Denial-of-service via password hashers
|
|
|
|
|
--------------------------------------
|
|
|
|
|
|
2013-09-16 02:14:26 +08:00
|
|
|
|
In previous versions of Django, no limit was imposed on the plaintext
|
|
|
|
|
length of a password. This allowed a denial-of-service attack through
|
2013-09-15 14:36:03 +08:00
|
|
|
|
submission of bogus but extremely large passwords, tying up server
|
|
|
|
|
resources performing the (expensive, and increasingly expensive with
|
|
|
|
|
the length of the password) calculation of the corresponding hash.
|
|
|
|
|
|
2013-09-16 02:14:26 +08:00
|
|
|
|
As of 1.5.4, Django's authentication framework imposes a 4096-byte
|
2013-09-15 14:36:03 +08:00
|
|
|
|
limit on passwords, and will fail authentication with any submitted
|
|
|
|
|
password of greater length.
|
2013-09-16 02:14:26 +08:00
|
|
|
|
|
|
|
|
|
Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin
|
|
|
|
|
-------------------------------------------------------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
The decoration of the ``add_view`` and ``user_change_password`` user admin
|
|
|
|
|
views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
|
|
|
|
|
did not include :func:`~django.utils.decorators.method_decorator` (required
|
|
|
|
|
since the views are methods) resulting in the decorator not being properly
|
|
|
|
|
applied. This usage has been fixed and
|
|
|
|
|
:func:`~django.views.decorators.debug.sensitive_post_parameters` will now
|
|
|
|
|
throw an exception if it's improperly used.
|
|
|
|
|
|
|
|
|
|
Bugfixes
|
|
|
|
|
========
|
|
|
|
|
|
|
|
|
|
* Fixed a bug that prevented a ``QuerySet`` that uses
|
|
|
|
|
:meth:`~django.db.models.query.QuerySet.prefetch_related` from being pickled
|
|
|
|
|
and unpickled more than once (the second pickling attempt raised an
|
|
|
|
|
exception) (#21102).
|