2015-11-06 19:18:00 +00:00
|
|
|
===========================
|
|
|
|
|
Django 1.7.11 release notes
|
|
|
|
|
===========================
|
|
|
|
|
|
2015-11-24 15:43:29 +00:00
|
|
|
*November 24, 2015*
|
2015-11-06 19:18:00 +00:00
|
|
|
|
2015-11-11 19:10:55 +00:00
|
|
|
Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.
|
|
|
|
|
|
|
|
|
|
Fixed settings leak possibility in ``date`` template filter
|
|
|
|
|
===========================================================
|
|
|
|
|
|
|
|
|
|
If an application allows users to specify an unvalidated format for dates and
|
|
|
|
|
passes this format to the :tfilter:`date` filter, e.g.
|
|
|
|
|
``{{ last_updated|date:user_date_format }}``, then a malicious user could
|
|
|
|
|
obtain any secret in the application's settings by specifying a settings key
|
|
|
|
|
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
|
|
|
|
|
|
|
|
|
|
To remedy this, the underlying function used by the ``date`` template filter,
|
|
|
|
|
``django.utils.formats.get_format()``, now only allows accessing the date/time
|
|
|
|
|
formatting settings.
|
2015-11-06 19:18:00 +00:00
|
|
|
|
|
|
|
|
Bugfixes
|
|
|
|
|
========
|
|
|
|
|
|
|
|
|
|
* Fixed a data loss possibility with :class:`~django.db.models.Prefetch` if
|
|
|
|
|
``to_attr`` is set to a ``ManyToManyField`` (:ticket:`25693`).
|
