2018-07-04 00:05:53 +00:00
|
|
|
==========================
|
|
|
|
|
Django 2.0.8 release notes
|
|
|
|
|
==========================
|
|
|
|
|
|
2018-07-23 14:42:40 +00:00
|
|
|
*August 1, 2018*
|
2018-07-04 00:05:53 +00:00
|
|
|
|
2018-07-23 14:42:40 +00:00
|
|
|
Django 2.0.8 fixes a security issue and several bugs in 2.0.7.
|
2018-07-04 00:05:53 +00:00
|
|
|
|
2018-07-24 20:18:17 +00:00
|
|
|
CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
|
|
|
|
|
=================================================================
|
|
|
|
|
|
|
|
|
|
If the :class:`~django.middleware.common.CommonMiddleware` and the
|
|
|
|
|
:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
|
|
|
|
|
URL pattern that accepts any path ending in a slash (many content management
|
|
|
|
|
systems have such a pattern), then a request to a maliciously crafted URL of
|
|
|
|
|
that site could lead to a redirect to another site, enabling phishing and other
|
|
|
|
|
attacks.
|
|
|
|
|
|
|
|
|
|
``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
|
|
|
|
|
domains.
|
|
|
|
|
|
2018-07-04 00:05:53 +00:00
|
|
|
Bugfixes
|
|
|
|
|
========
|
|
|
|
|
|
2018-07-05 16:11:49 +00:00
|
|
|
* Fixed a regression in Django 2.0.7 that broke the ``regex`` lookup on MariaDB
|
|
|
|
|
(even though MariaDB isn't officially supported) (:ticket:`29544`).
|
2018-07-31 13:57:11 +00:00
|
|
|
|
|
|
|
|
* Fixed a regression where ``django.template.Template`` crashed if the
|
|
|
|
|
``template_string`` argument is lazy (:ticket:`29617`).
|
