django/docs/releases/1.6.5.txt

==========================
Django 1.6.5 release notes
==========================

*May 14, 2014*

Django 1.6.5 fixes two security issues and several bugs in 1.6.4.

Issue: Caches may incorrectly be allowed to store and serve private data
========================================================================

In certain situations, Django may allow caches to store private data
related to a particular session and then serve that data to requests
with a different session, or no session at all. This can lead to
information disclosure and can be a vector for cache poisoning.

When using Django sessions, Django will set a ``Vary: Cookie`` header to
ensure caches do not serve cached data to requests from other sessions.
However, older versions of Internet Explorer (most likely only Internet
Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
2003) are unable to handle the ``Vary`` header in combination with many content
types. Therefore, Django would remove the header if the request was made by
Internet Explorer.

To remedy this, the special behavior for these older Internet Explorer versions
has been removed, and the ``Vary`` header is no longer stripped from the response.
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
requests with a ``Content-Disposition`` header have also been removed as they
were found to have similar issues.

Issue: Malformed redirect URLs from user input not correctly validated
======================================================================

The validation for redirects did not correctly validate some malformed URLs,
which are accepted by some browsers. This allows a user to be redirected to
an unsafe URL unexpectedly.

Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
``django.util.http.is_safe_url()``) did not correctly validate some malformed
URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
with more liberal URL parsing.

To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
to handle and correctly validate these malformed URLs.

Bugfixes
========

* Made the ``year_lookup_bounds_for_datetime_field`` Oracle backend method
  Python 3 compatible (`#22551 <http://code.djangoproject.com/ticket/22551>`_).

* Fixed ``pgettext_lazy`` crash when receiving bytestring content on Python 2
  (`#22565 <http://code.djangoproject.com/ticket/22565>`_).

* Fixed the SQL generated when filtering by a negated ``Q`` object that contains
  a ``F`` object. (`#22429 <http://code.djangoproject.com/ticket/22429>`_).

* Avoided overwriting data fetched by ``select_related()`` in certain cases
  which could cause minor performance regressions
  (`#22508 <http://code.djangoproject.com/ticket/22508>`_).
Added stub release notes for 1.6.5. 2014-04-29 08:38:06 +08:00			`==========================`
			`Django 1.6.5 release notes`
			`==========================`

Added release notes for 1.4.13, 1.5.8, 1.6.5. 2014-05-15 00:07:32 +08:00			`May 14, 2014`
Added stub release notes for 1.6.5. 2014-04-29 08:38:06 +08:00
Minor edits to latest release notes. 2014-05-15 19:11:29 +08:00			`Django 1.6.5 fixes two security issues and several bugs in 1.6.4.`
Added release notes for 1.4.13, 1.5.8, 1.6.5. 2014-05-15 00:07:32 +08:00
			`Issue: Caches may incorrectly be allowed to store and serve private data`
			`========================================================================`
Minor edits to latest release notes. 2014-05-15 19:11:29 +08:00
Added release notes for 1.4.13, 1.5.8, 1.6.5. 2014-05-15 00:07:32 +08:00			`In certain situations, Django may allow caches to store private data`
			`related to a particular session and then serve that data to requests`
Minor edits to latest release notes. 2014-05-15 19:11:29 +08:00			`with a different session, or no session at all. This can lead to`
			`information disclosure and can be a vector for cache poisoning.`
Added release notes for 1.4.13, 1.5.8, 1.6.5. 2014-05-15 00:07:32 +08:00
			When using Django sessions, Django will set a ``Vary: Cookie`` header to
			`ensure caches do not serve cached data to requests from other sessions.`
			`However, older versions of Internet Explorer (most likely only Internet`
			`Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server`
			2003) are unable to handle the ``Vary`` header in combination with many content
			`types. Therefore, Django would remove the header if the request was made by`
			`Internet Explorer.`

Minor edits to latest release notes. 2014-05-15 19:11:29 +08:00			`To remedy this, the special behavior for these older Internet Explorer versions`
Added release notes for 1.4.13, 1.5.8, 1.6.5. 2014-05-15 00:07:32 +08:00			has been removed, and the ``Vary`` header is no longer stripped from the response.
			In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
Minor edits to latest release notes. 2014-05-15 19:11:29 +08:00			requests with a ``Content-Disposition`` header have also been removed as they
Added release notes for 1.4.13, 1.5.8, 1.6.5. 2014-05-15 00:07:32 +08:00			`were found to have similar issues.`

			`Issue: Malformed redirect URLs from user input not correctly validated`
			`======================================================================`
Minor edits to latest release notes. 2014-05-15 19:11:29 +08:00
Added release notes for 1.4.13, 1.5.8, 1.6.5. 2014-05-15 00:07:32 +08:00			`The validation for redirects did not correctly validate some malformed URLs,`
			`which are accepted by some browsers. This allows a user to be redirected to`
			`an unsafe URL unexpectedly.`

			`Django relies on user input in some cases (e.g.`
			:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
			:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
			`The security checks for these redirects (namely`
			``django.util.http.is_safe_url()``) did not correctly validate some malformed
			URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
			`with more liberal URL parsing.`

			To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
			`to handle and correctly validate these malformed URLs.`
Added stub release notes for 1.6.5. 2014-04-29 08:38:06 +08:00
			`Bugfixes`
			`========`

Fixed #22551 -- Made oracle backend method Python 3 compatible Thanks fatal10110 at gmail.com for the report. The fix is 1.6-only because that code has been refactored in 1.7 (6983201cfb). 'Docs-only' forward port of 120a98120 from 1.6.x. 2014-05-02 00:10:16 +08:00			* Made the ``year_lookup_bounds_for_datetime_field`` Oracle backend method
			Python 3 compatible (`#22551 <http://code.djangoproject.com/ticket/22551>`_).
Fixed #22565 -- Prevented pgettext_lazy crash with bytestring input Thanks ygbo for the report. 2014-05-03 01:31:22 +08:00
			* Fixed ``pgettext_lazy`` crash when receiving bytestring content on Python 2
			(`#22565 <http://code.djangoproject.com/ticket/22565>`_).
Fixed #22429 -- Incorrect SQL when using ~Q and F 2014-04-28 20:27:36 +08:00
			* Fixed the SQL generated when filtering by a negated ``Q`` object that contains
			a ``F`` object. (`#22429 <http://code.djangoproject.com/ticket/22429>`_).
Added 1.6.5 release note for refs #22508. 2014-05-13 00:43:50 +08:00
			* Avoided overwriting data fetched by ``select_related()`` in certain cases
			`which could cause minor performance regressions`
			(`#22508 <http://code.djangoproject.com/ticket/22508>`_).