diff --git a/docs/releases/1.4.6.txt b/docs/releases/1.4.6.txt new file mode 100644 index 0000000000..575e9fa75a --- /dev/null +++ b/docs/releases/1.4.6.txt @@ -0,0 +1,31 @@ +========================== +Django 1.4.6 release notes +========================== + +*August 13, 2013* + +Django 1.4.6 fixes one security issue present in previous Django releases in +the 1.4 series, as well as one other bug. + +This is the sixth bugfix/security release in the Django 1.4 series. + +Mitigated possible XSS attack via user-supplied redirect URLs +------------------------------------------------------------- + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and +:doc:`i18n `) to redirect the user to an "on success" URL. +The security checks for these redirects (namely +``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` +and as such allowed ``javascript:...`` URLs to be entered. If a developer +relied on ``is_safe_url()`` to provide safe redirect targets and put such a +URL into a link, he could suffer from a XSS attack. This bug doesn't affect +Django currently, since we only put this URL into the ``Location`` response +header and browsers seem to ignore JavaScript there. + +Bugfixes +======== + +* Fixed an obscure bug with the :func:`~django.test.utils.override_settings` + decorator. If you hit an ``AttributeError: 'Settings' object has no attribute + '_original_allowed_hosts'`` exception, it's probably fixed (#20636). diff --git a/docs/releases/1.5.2.txt b/docs/releases/1.5.2.txt new file mode 100644 index 0000000000..710f16555c --- /dev/null +++ b/docs/releases/1.5.2.txt @@ -0,0 +1,62 @@ +========================== +Django 1.5.2 release notes +========================== + +*August 13, 2013* + +This is Django 1.5.2, a bugfix and security release for Django 1.5. + +Mitigated possible XSS attack via user-supplied redirect URLs +------------------------------------------------------------- + +Django relies on user input in some cases (e.g. +:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and +:doc:`i18n `) to redirect the user to an "on success" URL. +The security checks for these redirects (namely +``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` +and as such allowed ``javascript:...`` URLs to be entered. If a developer +relied on ``is_safe_url()`` to provide safe redirect targets and put such a +URL into a link, he could suffer from a XSS attack. This bug doesn't affect +Django currently, since we only put this URL into the ``Location`` response +header and browsers seem to ignore JavaScript there. + +XSS vulnerability in :mod:`django.contrib.admin` +------------------------------------------------ + +If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the +current value of the field and a link to the target on the admin change page. +The display routine of this widget was flawed and allowed for XSS. + +Bugfixes +======== + +* Fixed a crash with :meth:`~django.db.models.query.QuerySet.prefetch_related` + (#19607) as well as some ``pickle`` regressions with ``prefetch_related`` + (#20157 and #20257). +* Fixed a regression in :mod:`django.contrib.gis` in the Google Map output on + Python 3 (#20773). +* Made ``DjangoTestSuiteRunner.setup_databases`` properly handle aliases for + the default database (#19940) and prevented ``teardown_databases`` from + attempting to tear down aliases (#20681). +* Fixed the ``django.core.cache.backends.memcached.MemcachedCache`` backend's + ``get_many()`` method on Python 3 (#20722). +* Fixed :mod:`django.contrib.humanize` translation syntax errors. Affected + languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695). +* Added support for wheel packages (#19252). +* The CSRF token now rotates when a user logs in. +* Some Python 3 compatibility fixes including #20212 and #20025. +* Fixed some rare cases where :meth:`~django.db.models.query.QuerySet.get` + exceptions recursed infinitely (#20278). +* :djadmin:`makemessages` no longer crashes with ``UnicodeDecodeError`` + (#20354). +* Fixed ``geojson`` detection with Spatialite. +* :meth:`~django.test.SimpleTestCase.assertContains` once again works with + binary content (#20237). +* Fixed :class:`~django.db.models.ManyToManyField` if it has a unicode ``name`` + parameter (#20207). +* Ensured that the WSGI request's path is correctly based on the + ``SCRIPT_NAME`` environment variable or the :setting:`FORCE_SCRIPT_NAME` + setting, regardless of whether or not either has a trailing slash (#20169). +* Fixed an obscure bug with the :func:`~django.test.utils.override_settings` + decorator. If you hit an ``AttributeError: 'Settings' object has no attribute + '_original_allowed_hosts'`` exception, it's probably fixed (#20636). diff --git a/docs/releases/index.txt b/docs/releases/index.txt index 98598209cf..c3ba5cf478 100644 --- a/docs/releases/index.txt +++ b/docs/releases/index.txt @@ -36,6 +36,7 @@ Final releases .. toctree:: :maxdepth: 1 + 1.5.2 1.5.1 1.5 @@ -44,6 +45,7 @@ Final releases .. toctree:: :maxdepth: 1 + 1.4.6 1.4.5 1.4.4 1.4.3