django/docs/releases/1.6.6.txt

==========================
Django 1.6.6 release notes
==========================

*Under development*

Django 1.6.6 fixes several security issues and bugs in 1.6.5.

:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
=======================================================================================

In certain situations, URL reversing could generate scheme-relative URLs  (URLs
starting with two slashes), which could unexpectedly redirect a user  to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user's passwords.

To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.

Bugfixes
========

* Corrected email and URL validation to reject a trailing dash
  (:ticket:`22579`).

* Prevented indexes on PostgreSQL virtual fields (:ticket:`22514`).

* Prevented edge case where values of FK fields could be initialized with a
  wrong value when an inline model formset is created for a relationship
  defined to point to a field other than the PK (:ticket:`13794`).

* Restored ``pre_delete``  signals for ``GenericRelation`` cascade deletion
  (:ticket:`22998`).

* Fixed transaction handling when specifying non-default database in
  ``createcachetable`` and ``flush`` (:ticket:`23089`).

* Fixed the "ORA-01843: not a valid month" errors when using Unicode
  with older versions of Oracle server (:ticket:`20292`).

* Restored bug fix for sending unicode email with Python 2.6.5 and below
  (:ticket:`19107`).

* Prevented ``UnicodeDecodeError`` in ``runserver`` with non-UTF-8 and
  non-English locale (:ticket:`23265`).

* Fixed JavaScript errors while editing multi-geometry objects in the OpenLayers
  widget (:ticket:`23137`, :ticket:`23293`).

* Prevented a crash on Python 3 with query strings containing unencoded
  non-ASCII characters (:ticket:`22996`).
[1.7.x] Added stub release notes for 1.6.6. Backport of 79e9da3d1e from master 2014-05-16 18:19:23 -04:00			`==========================`
			`Django 1.6.6 release notes`
			`==========================`

			`Under development`

[1.7.x] Added release note stubs for 1.5.9 and 1.4.14. 2014-08-05 15:20:05 -04:00			`Django 1.6.6 fixes several security issues and bugs in 1.6.5.`
[1.7.x] Added stub release notes for 1.6.6. Backport of 79e9da3d1e from master 2014-05-16 18:19:23 -04:00
[1.7.x] Prevented reverse() from generating URLs pointing to other hosts. This is a security fix. Disclosure following shortly. 2014-07-17 21:59:28 +02:00			:func:`~django.core.urlresolvers.reverse()` could generate URLs pointing to other hosts
			`=======================================================================================`

			`In certain situations, URL reversing could generate scheme-relative URLs (URLs`
			`starting with two slashes), which could unexpectedly redirect a user to a`
			`different host. An attacker could exploit this, for example, by redirecting`
			`users to a phishing site designed to ask for user's passwords.`

			`To remedy this, URL reversing now ensures that no URL starts with two slashes`
			`(//), replacing the second slash with its URL encoded counterpart (%2F). This`
			`approach ensures that semantics stay the same, while making the URL relative to`
			`the domain and not to the scheme.`

[1.7.x] Added stub release notes for 1.6.6. Backport of 79e9da3d1e from master 2014-05-16 18:19:23 -04:00			`Bugfixes`
			`========`

			`* Corrected email and URL validation to reject a trailing dash`
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			(:ticket:`22579`).
[1.7.x] Added refs #22514 to 1.6.6 release notes. Backport of 1892ced10a from master 2014-06-20 18:47:14 -04:00
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			* Prevented indexes on PostgreSQL virtual fields (:ticket:`22514`).
[1.7.x] Added 1.6.6 release notes for #22998 (also forwardported those for #13794). Backport of c62c480b2b from master 2014-07-16 13:34:53 -04:00
			`* Prevented edge case where values of FK fields could be initialized with a`
			`wrong value when an inline model formset is created for a relationship`
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			defined to point to a field other than the PK (:ticket:`13794`).
[1.7.x] Added 1.6.6 release notes for #22998 (also forwardported those for #13794). Backport of c62c480b2b from master 2014-07-16 13:34:53 -04:00
			* Restored ``pre_delete`` signals for ``GenericRelation`` cascade deletion
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			(:ticket:`22998`).
[1.7.x] Fixed #23089 -- Fixed transaction handling in two management commands. Previously, when createcachetable and flush operated on non-default databases, they weren't atomic. Backport of 753a22a635 from master 2014-03-21 18:48:57 +01:00
			`* Fixed transaction handling when specifying non-default database in`
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			``createcachetable`` and ``flush`` (:ticket:`23089`).
[1.7.x] Forwardported 1.6.6 release notes for refs #20292. Backport of f294f93a17 from master 2014-07-29 09:39:19 -04:00
			`* Fixed the "ORA-01843: not a valid month" errors when using Unicode`
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			with older versions of Oracle server (:ticket:`20292`).
[1.7.x] Forwardported 1.6.6 release note for #19107. Backport of 7fcfefbc4a from master 2014-07-30 09:33:02 -04:00
			`* Restored bug fix for sending unicode email with Python 2.6.5 and below`
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			(:ticket:`19107`).
[1.7.x] Fixed #23265 -- Used system-specific encoding in runserver Thanks SpaceFox for the report. Backport of 055d95fce066 from master. 2014-08-14 11:56:25 +02:00
			* Prevented ``UnicodeDecodeError`` in ``runserver`` with non-UTF-8 and
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			non-English locale (:ticket:`23265`).
[1.7.x] Complemented 1.6 release notes for 457c16d0d6 And accessorily added missing bits fixing #23293. 2014-08-15 10:11:53 +02:00
			`* Fixed JavaScript errors while editing multi-geometry objects in the OpenLayers`
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			widget (:ticket:`23137`, :ticket:`23293`).
[1.7.x] Fixed #22996 -- Prevented crash with unencoded query string Thanks Jorge Carleitao for the report and Aymeric Augustin, Tim Graham for the reviews. Backport of fa02120d36 from master. 2014-07-12 19:37:59 +02:00
			`* Prevented a crash on Python 3 with query strings containing unencoded`
[1.7.x] Added sphinx extension to ease generation of ticket links. Backport of fca677fa43 from master 2014-08-19 10:22:51 -04:00			non-ASCII characters (:ticket:`22996`).