32 lines
1.2 KiB
Plaintext
32 lines
1.2 KiB
Plaintext
============================
|
|
Django 1.11.27 release notes
|
|
============================
|
|
|
|
*December 18, 2019*
|
|
|
|
Django 1.11.27 fixes a security issue and a data loss bug in 1.11.26.
|
|
|
|
CVE-2019-19844: Potential account hijack via password reset form
|
|
================================================================
|
|
|
|
By submitting a suitably crafted email address making use of Unicode
|
|
characters, that compared equal to an existing user email when lower-cased for
|
|
comparison, an attacker could be sent a password reset token for the matched
|
|
account.
|
|
|
|
In order to avoid this vulnerability, password reset requests now compare the
|
|
submitted email using the stricter, recommended algorithm for case-insensitive
|
|
comparison of two identifiers from `Unicode Technical Report 36, section
|
|
2.11.2(B)(2)`__. Upon a match, the email containing the reset token will be
|
|
sent to the email address on record rather than the submitted address.
|
|
|
|
.. __: https://www.unicode.org/reports/tr36/#Recommendations_General
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a data loss possibility in
|
|
:class:`~django.contrib.postgres.forms.SplitArrayField`. When using with
|
|
``ArrayField(BooleanField())``, all values after the first ``True`` value
|
|
were marked as checked instead of preserving passed values (:ticket:`31073`).
|