SECURITY HARDENING
The latest version of Tastypie includes a number of important security fixes and all users are strongly encouraged to upgrade.
Please note that the fixes might cause backwards incompatibility issues, so please check the upgrade notes carefully.
XML decoding has been wrapped in the defusedxml library
XML requests may no longer include DTDs by default
Deserialization will return HTTP 400 for any XML decode errors
Don't even use XML and want to disable it? There's a simple :ref:`TASTYPIE_DEFAULT_FORMATS setting <settings.TASTYPIE_DEFAULT_FORMATS>` setting to globally restrict the set of supported formats (closes #833):
http://django-tastypie.readthedocs.org/en/v0.9.14/settings.html#tastypie-default-formats
Content negotiation will return an error for malformed accept headers (closes #832)
The Api class itself now allows a custom serializer (closes #817)
The serialization documentation has been upgraded with security advice:
http://django-tastypie.readthedocs.org/en/v0.9.14/serialization.html#serialization-security
Upgrade notes:
- If you use XML serialization (enabled by default):
- defusedxml is now required
- defusedxml requires lxml 3 or later
pip install defusedxml "lxml>=3"
Python 2.5 is no longer officially supported because defusedxml requires Python 2.6 or later. If you cannot upgrade to a newer version of Python please consider disabling XML support entirely.