Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fixed #15253 -- Added 1.1.3 release notes, and added sections to the …

…1.2.4 and 1.3 release notes about the December security announcement.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@15485 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit 41dc3fc2e85d3c1db8c9cc4b479e3ace75d82abf 1 parent f913fab
Russell Keith-Magee authored February 10, 2011
50  docs/releases/1.1.3.txt
... ...
@@ -0,0 +1,50 @@
  1
+==========================
  2
+Django 1.1.3 release notes
  3
+==========================
  4
+
  5
+Welcome to Django 1.1.3!
  6
+
  7
+This is the third "bugfix" release in the Django 1.1 series,
  8
+improving the stability and performance of the Django 1.1 codebase.
  9
+
  10
+With one exception, Django 1.1.3 maintains backwards compatibility
  11
+with Django 1.1.2. It also contains a number of fixes and other
  12
+improvements. Django 1.1.2 is a recommended upgrade for any
  13
+development or deployment currently using or targeting Django 1.1.
  14
+
  15
+For full details on the new features, backwards incompatibilities, and
  16
+deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
  17
+
  18
+Backwards incompatible changes
  19
+==============================
  20
+
  21
+Restricted filters in admin interface
  22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  23
+
  24
+The Django administrative interface, django.contrib.admin, supports
  25
+filtering of displayed lists of objects by fields on the corresponding
  26
+models, including across database-level relationships. This is
  27
+implemented by passing lookup arguments in the querystring portion of
  28
+the URL, and options on the ModelAdmin class allow developers to
  29
+specify particular fields or relationships which will generate
  30
+automatic links for filtering.
  31
+
  32
+One historically-undocumented and -unofficially-supported feature has
  33
+been the ability for a user with sufficient knowledge of a model's
  34
+structure and the format of these lookup arguments to invent useful
  35
+new filters on the fly by manipulating the querystring.
  36
+
  37
+However, it has been demonstrated that this can be abused to gain
  38
+access to information outside of an admin user's permissions; for
  39
+example, an attacker with access to the admin and sufficient knowledge
  40
+of model structure and relations could construct query strings which --
  41
+with repeated use of regular-expression lookups supported by the
  42
+Django database API -- expose sensitive information such as users'
  43
+password hashes.
  44
+
  45
+To remedy this, django.contrib.admin will now validate that
  46
+querystring lookup arguments either specify only fields on the model
  47
+being viewed, or cross relations which have been explicitly
  48
+whitelisted by the application developer using the pre-existing
  49
+mechanism mentioned above. This is backwards-incompatible for any
  50
+users relying on the prior ability to insert arbitrary lookups.
6  docs/releases/1.1.4.txt
@@ -8,15 +8,15 @@ This is the fourth "bugfix" release in the Django 1.1 series,
8 8
 improving the stability and performance of the Django 1.1 codebase.
9 9
 
10 10
 With one exception, Django 1.1.4 maintains backwards compatibility
11  
-with Django 1.1.3, but contain a number of fixes and other
  11
+with Django 1.1.3. It also contains a number of fixes and other
12 12
 improvements. Django 1.1.4 is a recommended upgrade for any
13 13
 development or deployment currently using or targeting Django 1.1.
14 14
 
15 15
 For full details on the new features, backwards incompatibilities, and
16 16
 deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
17 17
 
18  
-Backwards-incompatible changes in 1.1.4
19  
-=======================================
  18
+Backwards incompatible changes
  19
+==============================
20 20
 
21 21
 CSRF exception for AJAX requests
22 22
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
38  docs/releases/1.2.4.txt
@@ -7,14 +7,48 @@ Welcome to Django 1.2.4!
7 7
 This is the fourth "bugfix" release in the Django 1.2 series,
8 8
 improving the stability and performance of the Django 1.2 codebase.
9 9
 
10  
-Django 1.2.4 maintains backwards compatibility with Django
11  
-1.2.3, but contain a number of fixes and other
  10
+With one exception, Django 1.2.4 maintains backwards compatibility
  11
+with Django 1.2.3. It also contains a number of fixes and other
12 12
 improvements. Django 1.2.4 is a recommended upgrade for any
13 13
 development or deployment currently using or targeting Django 1.2.
14 14
 
15 15
 For full details on the new features, backwards incompatibilities, and
16 16
 deprecated features in the 1.2 branch, see the :doc:`/releases/1.2`.
17 17
 
  18
+Backwards incompatible changes
  19
+==============================
  20
+
  21
+Restricted filters in admin interface
  22
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  23
+
  24
+The Django administrative interface, django.contrib.admin, supports
  25
+filtering of displayed lists of objects by fields on the corresponding
  26
+models, including across database-level relationships. This is
  27
+implemented by passing lookup arguments in the querystring portion of
  28
+the URL, and options on the ModelAdmin class allow developers to
  29
+specify particular fields or relationships which will generate
  30
+automatic links for filtering.
  31
+
  32
+One historically-undocumented and -unofficially-supported feature has
  33
+been the ability for a user with sufficient knowledge of a model's
  34
+structure and the format of these lookup arguments to invent useful
  35
+new filters on the fly by manipulating the querystring.
  36
+
  37
+However, it has been demonstrated that this can be abused to gain
  38
+access to information outside of an admin user's permissions; for
  39
+example, an attacker with access to the admin and sufficient knowledge
  40
+of model structure and relations could construct query strings which --
  41
+with repeated use of regular-expression lookups supported by the
  42
+Django database API -- expose sensitive information such as users'
  43
+password hashes.
  44
+
  45
+To remedy this, django.contrib.admin will now validate that
  46
+querystring lookup arguments either specify only fields on the model
  47
+being viewed, or cross relations which have been explicitly
  48
+whitelisted by the application developer using the pre-existing
  49
+mechanism mentioned above. This is backwards-incompatible for any
  50
+users relying on the prior ability to insert arbitrary lookups.
  51
+
18 52
 One new feature
19 53
 ===============
20 54
 
2  docs/releases/1.2.5.txt
@@ -8,7 +8,7 @@ This is the fifth "bugfix" release in the Django 1.2 series,
8 8
 improving the stability and performance of the Django 1.2 codebase.
9 9
 
10 10
 With four exceptions, Django 1.2.5 maintains backwards compatibility
11  
-with Django 1.2.4, but contain a number of fixes and other
  11
+with Django 1.2.4. It also contains a number of fixes and other
12 12
 improvements. Django 1.2.5 is a recommended upgrade for any
13 13
 development or deployment currently using or targeting Django 1.2.
14 14
 
30  docs/releases/1.3.txt
@@ -334,6 +334,36 @@ send back the CSRF token in the custom X-CSRFTOKEN header::
334 334
     });
335 335
 
336 336
 
  337
+Restricted filters in admin interface
  338
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  339
+
  340
+The Django administrative interface, django.contrib.admin, supports
  341
+filtering of displayed lists of objects by fields on the corresponding
  342
+models, including across database-level relationships. This is
  343
+implemented by passing lookup arguments in the querystring portion of
  344
+the URL, and options on the ModelAdmin class allow developers to
  345
+specify particular fields or relationships which will generate
  346
+automatic links for filtering.
  347
+
  348
+One historically-undocumented and -unofficially-supported feature has
  349
+been the ability for a user with sufficient knowledge of a model's
  350
+structure and the format of these lookup arguments to invent useful
  351
+new filters on the fly by manipulating the querystring.
  352
+
  353
+However, it has been demonstrated that this can be abused to gain
  354
+access to information outside of an admin user's permissions; for
  355
+example, an attacker with access to the admin and sufficient knowledge
  356
+of model structure and relations could construct query strings which --
  357
+with repeated use of regular-expression lookups supported by the
  358
+Django database API -- expose sensitive information such as users'
  359
+password hashes.
  360
+
  361
+To remedy this, django.contrib.admin will now validate that
  362
+querystring lookup arguments either specify only fields on the model
  363
+being viewed, or cross relations which have been explicitly
  364
+whitelisted by the application developer using the pre-existing
  365
+mechanism mentioned above. This is backwards-incompatible for any
  366
+users relying on the prior ability to insert arbitrary lookups.
337 367
 
338 368
 FileField no longer deletes files
339 369
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1  docs/releases/index.txt
@@ -37,6 +37,7 @@ Final releases
37 37
    :maxdepth: 1
38 38
 
39 39
    1.1.4
  40
+   1.1.3
40 41
    1.1.2
41 42
    1.1
42 43
 

0 notes on commit 41dc3fc

Please sign in to comment.
Something went wrong with that request. Please try again.