SECURITY HARDENING
The latest version of Tastypie includes a number of important security fixes and all users are strongly encouraged to upgrade.
Please note that the fixes might cause backwards incompatibility issues, so please check the upgrade notes carefully.
- XML decoding has been wrapped in the defusedxml library
- XML requests may no longer include DTDs by default
- Deserialization will return HTTP 400 for any XML decode errors
Don't even use XML and want to disable it? There's a simple
TASTYPIE_DEFAULT_FORMATS setting <settings.TASTYPIE_DEFAULT_FORMATS>
setting to globally restrict the set of supported formats (closes #833):https://django-tastypie.readthedocs.io/en/v0.9.14/settings.html#tastypie-default-formats
- Content negotiation will return an error for malformed accept headers (closes #832)
- The Api class itself now allows a custom serializer (closes #817)
The serialization documentation has been upgraded with security advice:
https://django-tastypie.readthedocs.io/en/v0.9.14/serialization.html#serialization-security
Upgrade notes:
- If you use XML serialization (enabled by default):
- defusedxml is now required
- defusedxml requires lxml 3 or later
pip install defusedxml "lxml>=3"
- Python 2.5 is no longer officially supported because defusedxml requires Python 2.6 or later. If you cannot upgrade to a newer version of Python please consider disabling XML support entirely.