Browse files

Refs #17800 - Added release notes and deprecation note about SECRET_K…

…EY requirement.

git-svn-id: bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 10e671e commit 60119d4f49f78a635f801d53c102f1463e28fe8a @carljm carljm committed Mar 2, 2012
Showing with 20 additions and 0 deletions.
  1. +4 −0 docs/internals/deprecation.txt
  2. +16 −0 docs/releases/1.4.txt
@@ -124,6 +124,10 @@ these changes.
See the :doc:`Django 1.3 release notes</releases/1.3>` for more details on
these changes.
+* Starting Django without a :setting:`SECRET_KEY` will result in an exception
+ rather than a `DeprecationWarning`. (This is accelerated from the usual
+ deprecation path; see the :doc:`Django 1.4 release notes</releases/1.4>`.)
* The ``mod_python`` request handler will be removed. The ``mod_wsgi``
handler should be used instead.
@@ -617,6 +617,21 @@ Django 1.4 also includes several smaller improvements worth noting:
Backwards incompatible changes in 1.4
+SECRET_KEY setting is required
+Running Django with an empty or known :setting:`SECRET_KEY` disables many of
+Django's security protections, and can lead to remote-code-execution
+vulnerabilities; no Django site should ever be run without a
+In Django 1.4, starting Django with an empty :setting:`SECRET_KEY` will raise a
+`DeprecationWarning`. In Django 1.5, it will raise an exception and Django will
+refuse to start. This is slightly accelerated from the usual deprecation path
+due to the severity of the consequences of running Django with no
@@ -756,6 +771,7 @@ instance:
* Time period: The amount of time you expect user to take filling out
such forms.

0 comments on commit 60119d4

Please sign in to comment.