|
| 1 | +========================== |
| 2 | +Django 1.5.2 release notes |
| 3 | +========================== |
| 4 | + |
| 5 | +*August 13, 2013* |
| 6 | + |
| 7 | +This is Django 1.5.2, a bugfix and security release for Django 1.5. |
| 8 | + |
| 9 | +Mitigated possible XSS attack via user-supplied redirect URLs |
| 10 | +------------------------------------------------------------- |
| 11 | + |
| 12 | +Django relies on user input in some cases (e.g. |
| 13 | +:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and |
| 14 | +:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL. |
| 15 | +The security checks for these redirects (namely |
| 16 | +``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` |
| 17 | +and as such allowed ``javascript:...`` URLs to be entered. If a developer |
| 18 | +relied on ``is_safe_url()`` to provide safe redirect targets and put such a |
| 19 | +URL into a link, he could suffer from a XSS attack. This bug doesn't affect |
| 20 | +Django currently, since we only put this URL into the ``Location`` response |
| 21 | +header and browsers seem to ignore JavaScript there. |
| 22 | + |
| 23 | +XSS vulnerability in :mod:`django.contrib.admin` |
| 24 | +------------------------------------------------ |
| 25 | + |
| 26 | +If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the |
| 27 | +current value of the field and a link to the target on the admin change page. |
| 28 | +The display routine of this widget was flawed and allowed for XSS. |
| 29 | + |
| 30 | +Bugfixes |
| 31 | +======== |
| 32 | + |
| 33 | +* Fixed a crash with :meth:`~django.db.models.query.QuerySet.prefetch_related` |
| 34 | + (#19607) as well as some ``pickle`` regressions with ``prefetch_related`` |
| 35 | + (#20157 and #20257). |
| 36 | +* Fixed a regression in :mod:`django.contrib.gis` in the Google Map output on |
| 37 | + Python 3 (#20773). |
| 38 | +* Made ``DjangoTestSuiteRunner.setup_databases`` properly handle aliases for |
| 39 | + the default database (#19940) and prevented ``teardown_databases`` from |
| 40 | + attempting to tear down aliases (#20681). |
| 41 | +* Fixed the ``django.core.cache.backends.memcached.MemcachedCache`` backend's |
| 42 | + ``get_many()`` method on Python 3 (#20722). |
| 43 | +* Fixed :mod:`django.contrib.humanize` translation syntax errors. Affected |
| 44 | + languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695). |
| 45 | +* Added support for wheel packages (#19252). |
| 46 | +* The CSRF token now rotates when a user logs in. |
| 47 | +* Some Python 3 compatibility fixes including #20212 and #20025. |
| 48 | +* Fixed some rare cases where :meth:`~django.db.models.query.QuerySet.get` |
| 49 | + exceptions recursed infinitely (#20278). |
| 50 | +* :djadmin:`makemessages` no longer crashes with ``UnicodeDecodeError`` |
| 51 | + (#20354). |
| 52 | +* Fixed ``geojson`` detection with Spatialite. |
| 53 | +* :meth:`~django.test.SimpleTestCase.assertContains` once again works with |
| 54 | + binary content (#20237). |
| 55 | +* Fixed :class:`~django.db.models.ManyToManyField` if it has a unicode ``name`` |
| 56 | + parameter (#20207). |
| 57 | +* Ensured that the WSGI request's path is correctly based on the |
| 58 | + ``SCRIPT_NAME`` environment variable or the :setting:`FORCE_SCRIPT_NAME` |
| 59 | + setting, regardless of whether or not either has a trailing slash (#20169). |
| 60 | +* Fixed an obscure bug with the :func:`~django.test.utils.override_settings` |
| 61 | + decorator. If you hit an ``AttributeError: 'Settings' object has no attribute |
| 62 | + '_original_allowed_hosts'`` exception, it's probably fixed (#20636). |
0 commit comments