1. ==========================

  2. Django 1.8.3 release notes

  3. ==========================

  4. 

  5. *July 8, 2015*

  6. 

  7. Django 1.8.3 fixes several security issues and bugs in 1.8.2.

  8. 

  9. Also, ``django.utils.deprecation.RemovedInDjango20Warning`` was renamed to

  10. ``RemovedInDjango110Warning`` as the version roadmap was revised to 1.9, 1.10,

  11. 1.11 (LTS), 2.0 (drops Python 2 support). For backwards compatibility,

  12. ``RemovedInDjango20Warning`` remains as an importable alias.

  13. 

  14. Denial-of-service possibility by filling session store

  15. ======================================================

  16. 

  17. In previous versions of Django, the session backends created a new empty record

  18. in the session storage anytime ``request.session`` was accessed and there was a

  19. session key provided in the request cookies that didn't already have a session

  20. record. This could allow an attacker to easily create many new session records

  21. simply by sending repeated requests with unknown session keys, potentially

  22. filling up the session store or causing other users' session records to be

  23. evicted.

  24. 

  25. The built-in session backends now create a session record only if the session

  26. is actually modified; empty session records are not created. Thus this

  27. potential DoS is now only possible if the site chooses to expose a

  28. session-modifying view to anonymous users.

  29. 

  30. As each built-in session backend was fixed separately (rather than a fix in the

  31. core sessions framework), maintainers of third-party session backends should

  32. check whether the same vulnerability is present in their backend and correct

  33. it if so.

  34. 

  35. Header injection possibility since validators accept newlines in input

  36. ======================================================================

  37. 

  38. Some of Django's built-in validators

  39. (:class:`~django.core.validators.EmailValidator`, most seriously) didn't

  40. prohibit newline characters (due to the usage of ``$`` instead of ``\Z`` in the

  41. regular expressions). If you use values with newlines in HTTP response or email

  42. headers, you can suffer from header injection attacks. Django itself isn't

  43. vulnerable because :class:`~django.http.HttpResponse` and the mail sending

  44. utilities in :mod:`django.core.mail` prohibit newlines in HTTP and SMTP

  45. headers, respectively. While the validators have been fixed in Django, if

  46. you're creating HTTP responses or email messages in other ways, it's a good

  47. idea to ensure that those methods prohibit newlines as well. You might also

  48. want to validate that any existing data in your application doesn't contain

  49. unexpected newlines.

  50. 

  51. :func:`~django.core.validators.validate_ipv4_address`,

  52. :func:`~django.core.validators.validate_slug`, and

  53. :class:`~django.core.validators.URLValidator` are also affected, however, as

  54. of Django 1.6 the ``GenericIPAddresseField``, ``IPAddressField``, ``SlugField``,

  55. and ``URLField`` form fields which use these validators all strip the input, so

  56. the possibility of newlines entering your data only exists if you are using

  57. these validators outside of the form fields.

  58. 

  59. The undocumented, internally unused ``validate_integer()`` function is now

  60. stricter as it validates using a regular expression instead of simply casting

  61. the value using ``int()`` and checking if an exception was raised.

  62. 

  63. Denial-of-service possibility in URL validation

  64. ===============================================

  65. 

  66. :class:`~django.core.validators.URLValidator` included a regular expression

  67. that was extremely slow to evaluate against certain invalid inputs. This regular

  68. expression has been simplified and optimized.

  69. 

  70. Bugfixes

  71. ========

  72. 

  73. * Fixed ``BaseRangeField.prepare_value()`` to use each ``base_field``’s

  74.   ``prepare_value()`` method (:ticket:`24841`).

  75. 

  76. * Fixed crash during :djadmin:`makemigrations` if a migrations module either

  77.   is missing ``__init__.py`` or is a file (:ticket:`24848`).

  78. 

  79. * Fixed ``QuerySet.exists()`` returning incorrect results after annotation with

  80.   ``Count()`` (:ticket:`24835`).

  81. 

  82. * Corrected ``HStoreField.has_changed()`` (:ticket:`24844`).

  83. 

  84. * Reverted an optimization to the CSRF template context processor which caused

  85.   a regression (:ticket:`24836`).

  86. 

  87. * Fixed a regression which caused template context processors to overwrite

  88.   variables set on a ``RequestContext`` after it's created (:ticket:`24847`).

  89. 

  90. * Prevented the loss of ``null``/``not null`` column properties during field

  91.   renaming of MySQL databases (:ticket:`24817`).

  92. 

  93. * Fixed a crash when using a reverse one-to-one relation in

  94.   ``ModelAdmin.list_display`` (:ticket:`24851`).

  95. 

  96. * Fixed quoting of SQL when renaming a field to ``AutoField`` in PostgreSQL

  97.   (:ticket:`24892`).

  98. 

  99. * Fixed lack of unique constraint when changing a field from

  100.   ``primary_key=True`` to ``unique=True`` (:ticket:`24893`).

  101. 

  102. * Fixed queryset pickling when using ``prefetch_related()`` after deleting

  103.   objects (:ticket:`24831`).

  104. 

  105. * Allowed using ``choices`` longer than 1 day with ``DurationField``

  106.   (:ticket:`24897`).

  107. 

  108. * Fixed a crash when loading squashed migrations from two apps with a

  109.   dependency between them, where the dependent app's replaced migrations are

  110.   partially applied (:ticket:`24895`).

  111. 

  112. * Fixed recording of applied status for squashed (replacement) migrations

  113.   (:ticket:`24628`).

  114. 

  115. * Fixed queryset annotations when using ``Case`` expressions with ``exclude()``

  116.   (:ticket:`24833`).

  117. 

  118. * Corrected join promotion for multiple ``Case`` expressions. Annotating a

  119.   query with multiple  ``Case`` expressions could unexpectedly filter out

  120.   results (:ticket:`24924`).

  121. 

  122. * Fixed usage of transforms in subqueries (:ticket:`24744`).

  123. 

  124. * Fixed ``SimpleTestCase.assertRaisesMessage()`` on Python 2.7.10

  125.   (:ticket:`24903`).

  126. 

  127. * Provided better backwards compatibility for the ``verbosity`` argument in

  128.   ``optparse`` management commands by casting it to an integer

  129.   (:ticket:`24769`).

  130. 

  131. * Fixed ``prefetch_related()`` on databases other than PostgreSQL for models

  132.   using UUID primary keys (:ticket:`24912`).

  133. 

  134. * Fixed removing ``unique_together`` constraints on MySQL (:ticket:`24972`).

  135. 

  136. * Fixed crash when uploading images with MIME types that Pillow doesn't detect,

  137.   such as bitmap, in ``forms.ImageField`` (:ticket:`24948`).

  138. 

  139. * Fixed a regression when deleting a model through the admin that has a

  140.   ``GenericRelation`` with a ``related_query_name`` (:ticket:`24940`).

  141. 

  142. * Reallowed non-ASCII values for ``ForeignKey.related_name`` on Python 3 by

  143.   fixing the false positive system check (:ticket:`25016`).

  144. 

  145. * Fixed inline forms that use a parent object that has a ``UUIDField`` primary

  146.   key and a child object that has an ``AutoField`` primary key

  147.   (:ticket:`24958`).

  148. 

  149. * Fixed a regression in the ``unordered_list`` template filter on certain

  150.   inputs (:ticket:`25031`).

  151. 

  152. * Fixed a regression in ``URLValidator`` that invalidated Punycode TLDs

  153.   (:ticket:`25059`).

  154. 

  155. * Improved ``pyinotify`` ``runserver`` polling (:ticket:`23882`).
About Sign Up Leave Feedback Contact