1. ==========================

  2. Django 1.8.7 release notes

  3. ==========================

  4. 

  5. *November 24, 2015*

  6. 

  7. Django 1.8.7 fixes a security issue and several bugs in 1.8.6.

  8. 

  9. Additionally, Django's vendored version of six, ``django.utils.six``, has

  10. been upgraded to the latest release (1.10.0).

  11. 

  12. Fixed settings leak possibility in ``date`` template filter

  13. ===========================================================

  14. 

  15. If an application allows users to specify an unvalidated format for dates and

  16. passes this format to the :tfilter:`date` filter, e.g.

  17. ``{{ last_updated|date:user_date_format }}``, then a malicious user could

  18. obtain any secret in the application's settings by specifying a settings key

  19. instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.

  20. 

  21. To remedy this, the underlying function used by the ``date`` template filter,

  22. ``django.utils.formats.get_format()``, now only allows accessing the date/time

  23. formatting settings.

  24. 

  25. Bugfixes

  26. ========

  27. 

  28. * Fixed a crash of the debug view during the autumn DST change when

  29.   :setting:`USE_TZ` is ``False`` and ``pytz`` is installed.

  30. 

  31. * Fixed a regression in 1.8.6 that caused database routers without an

  32.   ``allow_migrate()`` method to crash (:ticket:`25686`).

  33. 

  34. * Fixed a regression in 1.8.6 by restoring the ability to use ``Manager``

  35.   objects for the ``queryset`` argument of ``ModelChoiceField``

  36.   (:ticket:`25683`).

  37. 

  38. * Fixed a regression in 1.8.6 that caused an application with South migrations

  39.   in the ``migrations`` directory to fail (:ticket:`25618`).

  40. 

  41. * Fixed a data loss possibility with :class:`~django.db.models.Prefetch` if

  42.   ``to_attr`` is set to a ``ManyToManyField`` (:ticket:`25693`).

  43. 

  44. * Fixed a regression in 1.8 by making ``gettext()`` once again return UTF-8

  45.   bytestrings on Python 2 if the input is a bytestring (:ticket:`25720`).

  46. 

  47. * Fixed serialization of

  48.   :class:`~django.contrib.postgres.fields.DateRangeField` and

  49.   :class:`~django.contrib.postgres.fields.DateTimeRangeField` (:ticket:`24937`).

  50. 

  51. * Fixed the exact lookup of ``ArrayField`` (:ticket:`25666`).

  52. 

  53. * Fixed ``Model.refresh_from_db()`` updating of ``ForeignKey`` fields with

  54.   ``on_delete=models.SET_NULL`` (:ticket:`25715`).

  55. 

  56. * Fixed a duplicate query regression in 1.8 on proxied model deletion

  57.   (:ticket:`25685`).

  58. 

  59. * Fixed ``set_FOO_order()`` crash when the ``ForeignKey`` of a model with

  60.   ``order_with_respect_to`` references a model with a ``OneToOneField``

  61.   primary key (:ticket:`25786`).

  62. 

  63. * Fixed incorrect validation for ``PositiveIntegerField`` and

  64.   ``PositiveSmallIntegerField`` on MySQL resulting in values greater than

  65.   4294967295 or 65535, respectively, passing validation and being silently

  66.   truncated by the database (:ticket:`25767`).
About Sign Up Leave Feedback Contact