Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
95 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
========================== | ||
Django 1.4.6 release notes | ||
========================== | ||
|
||
*August 13, 2013* | ||
|
||
Django 1.4.6 fixes one security issue present in previous Django releases in | ||
the 1.4 series, as well as one other bug. | ||
|
||
This is the sixth bugfix/security release in the Django 1.4 series. | ||
|
||
Mitigated possible XSS attack via user-supplied redirect URLs | ||
------------------------------------------------------------- | ||
|
||
Django relies on user input in some cases (e.g. | ||
:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and | ||
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. | ||
The security checks for these redirects (namely | ||
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` | ||
and as such allowed ``javascript:...`` URLs to be entered. If a developer | ||
relied on ``is_safe_url()`` to provide safe redirect targets and put such a | ||
URL into a link, he could suffer from a XSS attack. This bug doesn't affect | ||
Django currently, since we only put this URL into the ``Location`` response | ||
header and browsers seem to ignore JavaScript there. | ||
|
||
Bugfixes | ||
======== | ||
|
||
* Fixed an obscure bug with the :func:`~django.test.utils.override_settings` | ||
decorator. If you hit an ``AttributeError: 'Settings' object has no attribute | ||
'_original_allowed_hosts'`` exception, it's probably fixed (#20636). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
========================== | ||
Django 1.5.2 release notes | ||
========================== | ||
|
||
*August 13, 2013* | ||
|
||
This is Django 1.5.2, a bugfix and security release for Django 1.5. | ||
|
||
Mitigated possible XSS attack via user-supplied redirect URLs | ||
------------------------------------------------------------- | ||
|
||
Django relies on user input in some cases (e.g. | ||
:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and | ||
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. | ||
The security checks for these redirects (namely | ||
``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` | ||
and as such allowed ``javascript:...`` URLs to be entered. If a developer | ||
relied on ``is_safe_url()`` to provide safe redirect targets and put such a | ||
URL into a link, he could suffer from a XSS attack. This bug doesn't affect | ||
Django currently, since we only put this URL into the ``Location`` response | ||
header and browsers seem to ignore JavaScript there. | ||
|
||
XSS vulnerability in :mod:`django.contrib.admin` | ||
------------------------------------------------ | ||
|
||
If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the | ||
current value of the field and a link to the target on the admin change page. | ||
The display routine of this widget was flawed and allowed for XSS. | ||
|
||
Bugfixes | ||
======== | ||
|
||
* Fixed a crash with :meth:`~django.db.models.query.QuerySet.prefetch_related` | ||
(#19607) as well as some ``pickle`` regressions with ``prefetch_related`` | ||
(#20157 and #20257). | ||
* Fixed a regression in :mod:`django.contrib.gis` in the Google Map output on | ||
Python 3 (#20773). | ||
* Made ``DjangoTestSuiteRunner.setup_databases`` properly handle aliases for | ||
the default database (#19940) and prevented ``teardown_databases`` from | ||
attempting to tear down aliases (#20681). | ||
* Fixed the ``django.core.cache.backends.memcached.MemcachedCache`` backend's | ||
``get_many()`` method on Python 3 (#20722). | ||
* Fixed :mod:`django.contrib.humanize` translation syntax errors. Affected | ||
languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695). | ||
* Added support for wheel packages (#19252). | ||
* The CSRF token now rotates when a user logs in. | ||
* Some Python 3 compatibility fixes including #20212 and #20025. | ||
* Fixed some rare cases where :meth:`~django.db.models.query.QuerySet.get` | ||
exceptions recursed infinitely (#20278). | ||
* :djadmin:`makemessages` no longer crashes with ``UnicodeDecodeError`` | ||
(#20354). | ||
* Fixed ``geojson`` detection with Spatialite. | ||
* :meth:`~django.test.SimpleTestCase.assertContains` once again works with | ||
binary content (#20237). | ||
* Fixed :class:`~django.db.models.ManyToManyField` if it has a unicode ``name`` | ||
parameter (#20207). | ||
* Ensured that the WSGI request's path is correctly based on the | ||
``SCRIPT_NAME`` environment variable or the :setting:`FORCE_SCRIPT_NAME` | ||
setting, regardless of whether or not either has a trailing slash (#20169). | ||
* Fixed an obscure bug with the :func:`~django.test.utils.override_settings` | ||
decorator. If you hit an ``AttributeError: 'Settings' object has no attribute | ||
'_original_allowed_hosts'`` exception, it's probably fixed (#20636). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters