Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added 1.4.6/1.5.2 release notes.

  • Loading branch information...
commit db682dcc9e028fa40bb4d3efb322fd3191ed1bd2 1 parent cbe6d55
Tim Graham authored August 13, 2013 jacobian committed August 13, 2013
31  docs/releases/1.4.6.txt
... ...
@@ -0,0 +1,31 @@
  1
+==========================
  2
+Django 1.4.6 release notes
  3
+==========================
  4
+
  5
+*August 13, 2013*
  6
+
  7
+Django 1.4.6 fixes one security issue present in previous Django releases in
  8
+the 1.4 series, as well as one other bug.
  9
+
  10
+This is the sixth bugfix/security release in the Django 1.4 series.
  11
+
  12
+Mitigated possible XSS attack via user-supplied redirect URLs
  13
+-------------------------------------------------------------
  14
+
  15
+Django relies on user input in some cases (e.g.
  16
+:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and
  17
+:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
  18
+The security checks for these redirects (namely
  19
+``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
  20
+and as such allowed ``javascript:...`` URLs to be entered. If a developer
  21
+relied on ``is_safe_url()`` to provide safe redirect targets and put such a
  22
+URL into a link, he could suffer from a XSS attack. This bug doesn't affect
  23
+Django currently, since we only put this URL into the ``Location`` response
  24
+header and browsers seem to ignore JavaScript there.
  25
+
  26
+Bugfixes
  27
+========
  28
+
  29
+* Fixed an obscure bug with the :func:`~django.test.utils.override_settings`
  30
+  decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
  31
+  '_original_allowed_hosts'`` exception, it's probably fixed (#20636).
62  docs/releases/1.5.2.txt
... ...
@@ -0,0 +1,62 @@
  1
+==========================
  2
+Django 1.5.2 release notes
  3
+==========================
  4
+
  5
+*August 13, 2013*
  6
+
  7
+This is Django 1.5.2, a bugfix and security release for Django 1.5.
  8
+
  9
+Mitigated possible XSS attack via user-supplied redirect URLs
  10
+-------------------------------------------------------------
  11
+
  12
+Django relies on user input in some cases (e.g.
  13
+:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and
  14
+:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
  15
+The security checks for these redirects (namely
  16
+``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)``
  17
+and as such allowed ``javascript:...`` URLs to be entered. If a developer
  18
+relied on ``is_safe_url()`` to provide safe redirect targets and put such a
  19
+URL into a link, he could suffer from a XSS attack. This bug doesn't affect
  20
+Django currently, since we only put this URL into the ``Location`` response
  21
+header and browsers seem to ignore JavaScript there.
  22
+
  23
+XSS vulnerability in :mod:`django.contrib.admin`
  24
+------------------------------------------------
  25
+
  26
+If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the
  27
+current value of the field and a link to the target on the admin change page.
  28
+The display routine of this widget was flawed and allowed for XSS.
  29
+
  30
+Bugfixes
  31
+========
  32
+
  33
+* Fixed a crash with :meth:`~django.db.models.query.QuerySet.prefetch_related`
  34
+  (#19607) as well as some ``pickle`` regressions with ``prefetch_related``
  35
+  (#20157 and #20257).
  36
+* Fixed a regression in :mod:`django.contrib.gis` in the Google Map output on
  37
+  Python 3 (#20773).
  38
+* Made ``DjangoTestSuiteRunner.setup_databases`` properly handle aliases for
  39
+  the default database (#19940) and prevented ``teardown_databases`` from
  40
+  attempting to tear down aliases (#20681).
  41
+* Fixed the ``django.core.cache.backends.memcached.MemcachedCache`` backend's
  42
+  ``get_many()`` method on Python 3 (#20722).
  43
+* Fixed :mod:`django.contrib.humanize` translation syntax errors. Affected
  44
+  languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).
  45
+* Added support for wheel packages (#19252).
  46
+* The CSRF token now rotates when a user logs in.
  47
+* Some Python 3 compatibility fixes including #20212 and #20025.
  48
+* Fixed some rare cases where :meth:`~django.db.models.query.QuerySet.get`
  49
+  exceptions recursed infinitely (#20278).
  50
+* :djadmin:`makemessages` no longer crashes with ``UnicodeDecodeError``
  51
+  (#20354).
  52
+* Fixed ``geojson`` detection with Spatialite.
  53
+* :meth:`~django.test.SimpleTestCase.assertContains` once again works with
  54
+  binary content (#20237).
  55
+* Fixed :class:`~django.db.models.ManyToManyField` if it has a unicode ``name``
  56
+  parameter (#20207).
  57
+* Ensured that the WSGI request's path is correctly based on the
  58
+  ``SCRIPT_NAME`` environment variable or the :setting:`FORCE_SCRIPT_NAME`
  59
+  setting, regardless of whether or not either has a trailing slash (#20169).
  60
+* Fixed an obscure bug with the :func:`~django.test.utils.override_settings`
  61
+  decorator. If you hit an ``AttributeError: 'Settings' object has no attribute
  62
+  '_original_allowed_hosts'`` exception, it's probably fixed (#20636).
2  docs/releases/index.txt
@@ -36,6 +36,7 @@ Final releases
36 36
 .. toctree::
37 37
    :maxdepth: 1
38 38
 
  39
+   1.5.2
39 40
    1.5.1
40 41
    1.5
41 42
 
@@ -44,6 +45,7 @@ Final releases
44 45
 .. toctree::
45 46
    :maxdepth: 1
46 47
 
  48
+   1.4.6
47 49
    1.4.5
48 50
    1.4.4
49 51
    1.4.3

0 notes on commit db682dc

Please sign in to comment.
Something went wrong with that request. Please try again.