django/docs/releases/1.8.10.txt

===========================
Django 1.8.10 release notes
===========================

*March 1, 2015*

Django 1.8.10 fixes two security issues and several bugs in 1.8.9.

CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
===============================================================================================================

Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security check for these
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
with basic authentication credentials "safe" when they shouldn't be.

For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
considered safe if the request's host is ``http://mysite.example.com``, but
redirecting to this URL sends the user to ``attacker.com``.

Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.

Bugfixes
========

* Fixed a crash on PostgreSQL that prevented using ``TIME_ZONE=None`` and
  ``USE_TZ=False`` (:ticket:`26177`).

* Added system checks for query name clashes of hidden relationships
  (:ticket:`26162`).

* Made ``forms.FileField`` and ``utils.translation.lazy_number()`` picklable
  (:ticket:`26212`).

* Fixed :class:`~django.contrib.postgres.fields.RangeField` and
  :class:`~django.contrib.postgres.fields.ArrayField` serialization with
  ``None`` values (:ticket:`26215`).

* Reallowed dashes in top-level domain names of URLs checked by
  ``URLValidator`` to fix a regression in Django 1.8 (:ticket:`26204`).

* Fixed ``BoundField`` to reallow slices of subwidgets (:ticket:`26267`).

* Prevented ``ContentTypeManager`` instances from sharing their cache
  (:ticket:`26286`).
Added stub release notes for 1.8.10. 2016-02-06 22:24:20 +08:00			`===========================`
			`Django 1.8.10 release notes`
			`===========================`

Added stub release notes for security issues. 2016-02-20 00:33:17 +08:00			`March 1, 2015`
Added stub release notes for 1.8.10. 2016-02-06 22:24:20 +08:00
Added stub release notes for security issues. 2016-02-20 00:33:17 +08:00			`Django 1.8.10 fixes two security issues and several bugs in 1.8.9.`
Added stub release notes for 1.8.10. 2016-02-06 22:24:20 +08:00
Fixed CVE-2016-2512 -- Prevented spoofing is_safe_url() with basic auth. This is a security fix. 2016-02-23 05:47:01 +08:00			`CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth`
			`===============================================================================================================`

			`Django relies on user input in some cases (e.g.`
			:func:`django.contrib.auth.views.login` and :doc:`i18n </topics/i18n/index>`)
			`to redirect the user to an "on success" URL. The security check for these`
			redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
			`with basic authentication credentials "safe" when they shouldn't be.`

			For example, a URL like ``http://mysite.example.com\@attacker.com`` would be
			considered safe if the request's host is ``http://mysite.example.com``, but
			redirecting to this URL sends the user to ``attacker.com``.

			Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
			`targets and puts such a URL into a link, they could suffer from an XSS attack.`

Added stub release notes for 1.8.10. 2016-02-06 22:24:20 +08:00			`Bugfixes`
			`========`

Fixed #26177 -- Fixed a PostgreSQL crash with TIME_ZONE=None and USE_TZ=False. 2016-02-06 22:21:05 +08:00			* Fixed a crash on PostgreSQL that prevented using ``TIME_ZONE=None`` and
			``USE_TZ=False`` (:ticket:`26177`).
Fixed #26162 -- Checked query name clashes of hidden relationships. Although reverse accessor clashes should be skipped query name can't be hidden. Thanks to Ian Foote and Tim Graham for the review. 2016-02-08 07:05:14 +08:00
			`* Added system checks for query name clashes of hidden relationships`
			(:ticket:`26162`).
Fixed #26212 -- Made forms.FileField and translation.lazy_number() picklable. 2016-02-12 09:12:54 +08:00
			* Made ``forms.FileField`` and ``utils.translation.lazy_number()`` picklable
			(:ticket:`26212`).
Fixed #26215 -- Fixed RangeField/ArrayField serialization with None values Also added tests for HStoreField and JSONField. Thanks Aleksey Bukin for the report and Tim Graham for the initial patch and the review. 2016-02-16 02:28:49 +08:00
			* Fixed :class:`~django.contrib.postgres.fields.RangeField` and
			:class:`~django.contrib.postgres.fields.ArrayField` serialization with
			``None`` values (:ticket:`26215`).
Fixed #26204 -- Reallowed dashes in top-level domains for URLValidator. Thanks Shai Berger for the review. 2016-02-11 23:39:53 +08:00
			`* Reallowed dashes in top-level domain names of URLs checked by`
			``URLValidator`` to fix a regression in Django 1.8 (:ticket:`26204`).
Fixed #26267 -- Fixed BoundField to reallow slices of subwidgets. 2016-02-24 07:39:20 +08:00
			* Fixed ``BoundField`` to reallow slices of subwidgets (:ticket:`26267`).
Fixed #26286 -- Prevented content type managers from sharing their cache. This should prevent managers methods from returning content type instances registered to foreign apps now that these managers are also attached to models created during migration phases. Thanks Tim for the review. Refs #23822. 2015-12-19 03:49:23 +08:00
			* Prevented ``ContentTypeManager`` instances from sharing their cache
			(:ticket:`26286`).