==========================Django 1.2.5 release notes==========================Welcome to Django 1.2.5!This is the fifth "bugfix" release in the Django 1.2 series,improving the stability and performance of the Django 1.2 codebase.With four exceptions, Django 1.2.5 maintains backwards compatibilitywith Django 1.2.4. It also contains a number of fixes and otherimprovements. Django 1.2.5 is a recommended upgrade for anydevelopment or deployment currently using or targeting Django 1.2.For full details on the new features, backwards incompatibilities, anddeprecated features in the 1.2 branch, see the :doc:`/releases/1.2`.Backwards incompatible changes==============================CSRF exception for AJAX requests--------------------------------Django includes a CSRF-protection mechanism, which makes use of atoken inserted into outgoing forms. Middleware then checks for thetoken's presence on form submission, and validates it.Prior to Django 1.2.5, our CSRF protection made an exception for AJAXrequests, on the following basis:* Many AJAX toolkits add an X-Requested-With header when usingXMLHttpRequest.* Browsers have strict same-origin policies regardingXMLHttpRequest.* In the context of a browser, the only way that a custom headerof this nature can be added is with XMLHttpRequest.Therefore, for ease of use, we did not apply CSRF checks to requeststhat appeared to be AJAX on the basis of the X-Requested-With header.The Ruby on Rails web framework had a similar exemption.Recently, engineers at Google made members of the Ruby on Railsdevelopment team aware of a combination of browser plugins andredirects which can allow an attacker to provide custom HTTP headerson a request to any website. This can allow a forged request to appearto be an AJAX request, thereby defeating CSRF protection which truststhe same-origin nature of AJAX requests.Michael Koziarski of the Rails team brought this to our attention, andwe were able to produce a proof-of-concept demonstrating the samevulnerability in Django's CSRF handling.To remedy this, Django will now apply full CSRF validation to allrequests, regardless of apparent AJAX origin. This is technicallybackwards-incompatible, but the security risks have been judged tooutweigh the compatibility concerns in this case.Additionally, Django will now accept the CSRF token in the custom HTTPheader X-CSRFTOKEN, as well as in the form submission itself, for easeof use with popular JavaScript toolkits which allow insertion ofcustom headers into all AJAX requests.Please see the :ref:`CSRF docs for example jQuery code <csrf-ajax>`that demonstrates this technique, ensuring that you are looking at thedocumentation for your version of Django, as the exact code necessaryis different for some older versions of Django.FileField no longer deletes files---------------------------------In earlier Django versions, when a model instance containing a:class:`~django.db.models.FileField` was deleted,:class:`~django.db.models.FileField` took it upon itself to also delete thefile from the backend storage. This opened the door to several potentiallyserious data-loss scenarios, including rolled-back transactions and fields ondifferent models referencing the same file. In Django 1.2.5,:class:`~django.db.models.FileField` will never delete files from the backendstorage. If you need cleanup of orphaned files, you'll need to handle ityourself (for instance, with a custom management command that can be runmanually or scheduled to run periodically via e.g. cron).Use of custom SQL to load initial data in tests-----------------------------------------------Django provides a custom SQL hooks as a way to inject hand-crafted SQLinto the database synchronization process. One of the possible usesfor this custom SQL is to insert data into your database. If yourcustom SQL contains ``INSERT`` statements, those insertions will beperformed every time your database is synchronized. This includes thesynchronization of any test databases that are created when you run atest suite.However, in the process of testing the Django 1.3, it was discoveredthat this feature has never completely worked as advertised. Whenusing database backends that don't support transactions, or when usinga TransactionTestCase, data that has been inserted using custom SQLwill not be visible during the testing process.Unfortunately, there was no way to rectify this problem withoutintroducing a backwards incompatibility. Rather than leaveSQL-inserted initial data in an uncertain state, Django now enforcesthe policy that data inserted by custom SQL will *not* be visibleduring testing.This change only affects the testing process. You can still use customSQL to load data into your production database as part of the ``syncdb``process. If you require data to exist during test conditions, youshould either insert it using :ref:`test fixtures<topics-testing-fixtures>`, or using the ``setUp()`` method of yourtest case.ModelAdmin.lookup_allowed signature changed-------------------------------------------Django 1.2.4 introduced a method ``lookup_allowed`` on ``ModelAdmin``, to copewith a security issue (changeset :commit:`[15033]<85207a245bf09fdebe486b4c7bbcb65300f2a693>`). Although this method was neverdocumented, it seems some people have overridden ``lookup_allowed``, especiallyto cope with regressions introduced by that changeset. While the method isstill undocumented and not marked as stable, it may be helpful to know that thesignature of this function has changed.