1. ==========================

  2. Django 1.5.2 release notes

  3. ==========================

  4. 

  5. *August 13, 2013*

  6. 

  7. This is Django 1.5.2, a bugfix and security release for Django 1.5.

  8. 

  9. Mitigated possible XSS attack via user-supplied redirect URLs

  10. =============================================================

  11. 

  12. Django relies on user input in some cases (e.g.

  13. ``django.contrib.auth.views.login()``, ``django.contrib.comments``, and

  14. :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.

  15. The security checks for these redirects (namely

  16. ``django.utils.http.is_safe_url()``) didn't check if the scheme is ``http(s)``

  17. and as such allowed ``javascript:...`` URLs to be entered. If a developer

  18. relied on ``is_safe_url()`` to provide safe redirect targets and put such a

  19. URL into a link, they could suffer from a XSS attack. This bug doesn't affect

  20. Django currently, since we only put this URL into the ``Location`` response

  21. header and browsers seem to ignore JavaScript there.

  22. 

  23. XSS vulnerability in :mod:`django.contrib.admin`

  24. ================================================

  25. 

  26. If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the

  27. current value of the field and a link to the target on the admin change page.

  28. The display routine of this widget was flawed and allowed for XSS.

  29. 

  30. Bugfixes

  31. ========

  32. 

  33. * Fixed a crash with :meth:`~django.db.models.query.QuerySet.prefetch_related`

  34.   (#19607) as well as some ``pickle`` regressions with ``prefetch_related``

  35.   (#20157 and #20257).

  36. * Fixed a regression in :mod:`django.contrib.gis` in the Google Map output on

  37.   Python 3 (#20773).

  38. * Made ``DjangoTestSuiteRunner.setup_databases`` properly handle aliases for

  39.   the default database (#19940) and prevented ``teardown_databases`` from

  40.   attempting to tear down aliases (#20681).

  41. * Fixed the ``django.core.cache.backends.memcached.MemcachedCache`` backend's

  42.   ``get_many()`` method on Python 3 (#20722).

  43. * Fixed :mod:`django.contrib.humanize` translation syntax errors. Affected

  44.   languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).

  45. * Added support for wheel packages (#19252).

  46. * The CSRF token now rotates when a user logs in.

  47. * Some Python 3 compatibility fixes including #20212 and #20025.

  48. * Fixed some rare cases where :meth:`~django.db.models.query.QuerySet.get`

  49.   exceptions recursed infinitely (#20278).

  50. * :djadmin:`makemessages` no longer crashes with ``UnicodeDecodeError``

  51.   (#20354).

  52. * Fixed ``geojson`` detection with SpatiaLite.

  53. * :meth:`~django.test.SimpleTestCase.assertContains` once again works with

  54.   binary content (#20237).

  55. * Fixed :class:`~django.db.models.ManyToManyField` if it has a Unicode ``name``

  56.   parameter (#20207).

  57. * Ensured that the WSGI request's path is correctly based on the

  58.   ``SCRIPT_NAME`` environment variable or the :setting:`FORCE_SCRIPT_NAME`

  59.   setting, regardless of whether or not either has a trailing slash (#20169).

  60. * Fixed an obscure bug with the :func:`~django.test.override_settings`

  61.   decorator. If you hit an ``AttributeError: 'Settings' object has no attribute

  62.   '_original_allowed_hosts'`` exception, it's probably fixed (#20636).
About Sign Up Leave Feedback Contact