test0908
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[1.6.x] Cleaned up 1.5.4/1.4.8 release notes 

Backport of 8d29005524 from master
This commit is contained in:
Tim Graham 2013-09-15 14:14:26 -04:00
parent 623c4916df
commit e96bcdd64f
8 changed files with 64 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/howto/error-reporting.txt
View File

@ -117,6 +117,8 @@ Filtering error reports
Filtering sensitive information Filtering sensitive information
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. currentmodule:: django.views.decorators.debug
Error reports are really helpful for debugging errors, so it is generally Error reports are really helpful for debugging errors, so it is generally
useful to record as much relevant information about those errors as possible. useful to record as much relevant information about those errors as possible.
For example, by default Django records the `full traceback`_ for the For example, by default Django records the `full traceback`_ for the
@ -240,11 +242,13 @@ attribute::
request.exception_reporter_filter = CustomExceptionReporterFilter() request.exception_reporter_filter = CustomExceptionReporterFilter()
... ...
.. currentmodule:: django.views.debug
Your custom filter class needs to inherit from Your custom filter class needs to inherit from
:class:`django.views.debug.SafeExceptionReporterFilter` and may override the :class:`django.views.debug.SafeExceptionReporterFilter` and may override the
following methods: following methods:
.. class:: django.views.debug.SafeExceptionReporterFilter .. class:: SafeExceptionReporterFilter
.. method:: SafeExceptionReporterFilter.is_active(self, request) .. method:: SafeExceptionReporterFilter.is_active(self, request)

7
docs/releases/1.4-alpha-1.txt
View File

@ -337,9 +337,10 @@ docs </ref/contrib/csrf>` for more information.
Error report filtering Error report filtering
~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
Two new function decorators, :func:`sensitive_variables` and We added two function decorators,
:func:`sensitive_post_parameters`, were added to allow designating the :func:`~django.views.decorators.debug.sensitive_variables` and
local variables and POST parameters which may contain sensitive :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow
designating the local variables and POST parameters that may contain sensitive
information and should be filtered out of error reports. information and should be filtered out of error reports.
All POST parameters are now systematically filtered out of error reports for All POST parameters are now systematically filtered out of error reports for

7
docs/releases/1.4-beta-1.txt
View File

@ -375,9 +375,10 @@ docs </ref/contrib/csrf>` for more information.
Error report filtering Error report filtering
~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
Two new function decorators, :func:`sensitive_variables` and We added two function decorators,
:func:`sensitive_post_parameters`, were added to allow designating the :func:`~django.views.decorators.debug.sensitive_variables` and
local variables and POST parameters which may contain sensitive :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow
designating the local variables and POST parameters that may contain sensitive
information and should be filtered out of error reports. information and should be filtered out of error reports.
All POST parameters are now systematically filtered out of error reports for All POST parameters are now systematically filtered out of error reports for

21
docs/releases/1.4.8.txt
View File

@ -1,21 +1,32 @@
========================== ==========================
Django 1.4.7 release notes Django 1.4.8 release notes
========================== ==========================
*September 14, 2013* *September 14, 2013*
Django 1.4.8 fixes one security issue present in previous Django releases in Django 1.4.8 fixes two security issues present in previous Django releases in
the 1.4 series. the 1.4 series.
Denial-of-service via password hashers Denial-of-service via password hashers
-------------------------------------- --------------------------------------
In previous versions of Django no limit was imposed on the plaintext In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allows a denial-of-service attack through length of a password. This allowed a denial-of-service attack through
submission of bogus but extremely large passwords, tying up server submission of bogus but extremely large passwords, tying up server
resources performing the (expensive, and increasingly expensive with resources performing the (expensive, and increasingly expensive with
the length of the password) calculation of the corresponding hash. the length of the password) calculation of the corresponding hash.
As of 1.4.8, Django's authentication framework imposes a 4096-byte As of 1.4.8, Django's authentication framework imposes a 4096-byte
limit on passwords, and will fail authentication with any submitted limit on passwords and will fail authentication with any submitted
password of greater length. password of greater length.
Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`s admin
-------------------------------------------------------------------------------------------------------------------------
The decoration of the ``add_view`` and ``user_change_password`` user admin
views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
did not include :func:`~django.utils.decorators.method_decorator` (required
since the views are methods) resulting in the decorator not being properly
applied. This usage has been fixed and
:func:`~django.views.decorators.debug.sensitive_post_parameters` will now
throw an exception if it's improperly used.

9
docs/releases/1.4.txt
View File

@ -507,10 +507,11 @@ docs </ref/contrib/csrf>` for more information.
Error report filtering Error report filtering
~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
We added two function decorators, :func:`sensitive_variables` and We added two function decorators,
:func:`sensitive_post_parameters`, to allow designating the local variables :func:`~django.views.decorators.debug.sensitive_variables` and
and POST parameters that may contain sensitive information and should be :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow
filtered out of error reports. designating the local variables and POST parameters that may contain sensitive
information and should be filtered out of error reports.
All POST parameters are now systematically filtered out of error reports for All POST parameters are now systematically filtered out of error reports for
certain views (``login``, ``password_reset_confirm``, ``password_change`` and certain views (``login``, ``password_reset_confirm``, ``password_change`` and

29
docs/releases/1.5.4.txt
View File

@ -1,21 +1,40 @@
========================== ==========================
Django 1.5.3 release notes Django 1.5.4 release notes
========================== ==========================
*September 14, 2013* *September 14, 2013*
This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
one security issue. two security issues and one bug.
Denial-of-service via password hashers Denial-of-service via password hashers
-------------------------------------- --------------------------------------
In previous versions of Django no limit was imposed on the plaintext In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allows a denial-of-service attack through length of a password. This allowed a denial-of-service attack through
submission of bogus but extremely large passwords, tying up server submission of bogus but extremely large passwords, tying up server
resources performing the (expensive, and increasingly expensive with resources performing the (expensive, and increasingly expensive with
the length of the password) calculation of the corresponding hash. the length of the password) calculation of the corresponding hash.
As of 1.5.3, Django's authentication framework imposes a 4096-byte As of 1.5.4, Django's authentication framework imposes a 4096-byte
limit on passwords, and will fail authentication with any submitted limit on passwords, and will fail authentication with any submitted
password of greater length. password of greater length.
Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`s admin
-------------------------------------------------------------------------------------------------------------------------
The decoration of the ``add_view`` and ``user_change_password`` user admin
views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
did not include :func:`~django.utils.decorators.method_decorator` (required
since the views are methods) resulting in the decorator not being properly
applied. This usage has been fixed and
:func:`~django.views.decorators.debug.sensitive_post_parameters` will now
throw an exception if it's improperly used.
Bugfixes
========
* Fixed a bug that prevented a ``QuerySet`` that uses
:meth:`~django.db.models.query.QuerySet.prefetch_related` from being pickled
and unpickled more than once (the second pickling attempt raised an
exception) (#21102).

5
docs/releases/1.6.txt
View File

@ -783,6 +783,10 @@ using non-string keys in ``request.session``. See the
4096-byte limit on passwords 4096-byte limit on passwords
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
This behavior was also added in the Django 1.5.4 and 1.4.8 security
releases.
Historically, Django has imposed no length limit on plaintext Historically, Django has imposed no length limit on plaintext
passwords. This enables a denial-of-service attack through submission passwords. This enables a denial-of-service attack through submission
of bogus but extremely large passwords, tying up server resources of bogus but extremely large passwords, tying up server resources
@ -792,7 +796,6 @@ of the password) calculation of the corresponding hash.
Django now imposes a 4096-byte limit on password length, and will fail Django now imposes a 4096-byte limit on password length, and will fail
authentication with any submitted password of greater length. authentication with any submitted password of greater length.
Miscellaneous Miscellaneous
~~~~~~~~~~~~~ ~~~~~~~~~~~~~

2
docs/releases/index.txt
View File

@ -29,6 +29,7 @@ Final releases
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
1.5.4
1.5.3 1.5.3
1.5.2 1.5.2
1.5.1 1.5.1
@ -39,6 +40,7 @@ Final releases
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
1.4.8
1.4.7 1.4.7
1.4.6 1.4.6
1.4.5 1.4.5