django/docs/releases/1.8.4.txt

==========================
Django 1.8.4 release notes
==========================

*August 18, 2015*

Django 1.8.4 fixes a security issue and several bugs in 1.8.3.

Denial-of-service possibility in ``logout()`` view by filling session store
===========================================================================

Previously, a session could be created when anonymously accessing the
``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
with :func:`~django.contrib.auth.decorators.login_required` as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.

The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
modified to no longer create empty session records, including when
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.

Bugfixes
========

* Added the ability to serialize values from the newly added
  :class:`~django.db.models.UUIDField` (:ticket:`25019`).

* Added a system check warning if the old ``TEMPLATE_*`` settings are defined
  in addition to the new ``TEMPLATES`` setting.

* Fixed ``QuerySet.raw()`` so ``InvalidQuery`` is not raised when using the
  ``db_column`` name of a ``ForeignKey`` field with ``primary_key=True``
  (:ticket:`12768`).

* Prevented an exception in ``TestCase.setUpTestData()`` from leaking the
  transaction (:ticket:`25176`).

* Fixed ``has_changed()`` method in ``contrib.postgres.forms.HStoreField``
  (:ticket:`25215`, :ticket:`25233`).

* Fixed the recording of squashed migrations when running the ``migrate``
  command (:ticket:`25231`).

* Moved the :ref:`unsaved model instance assignment data loss check
  <unsaved-model-instance-check-18>` to ``Model.save()`` to allow easier usage
  of in-memory models (:ticket:`25160`).

* Prevented ``varchar_patterns_ops`` and ``text_patterns_ops`` indexes for
  ``ArrayField`` (:ticket:`25180`).
Added stub release notes for 1.8.4 2015-07-10 06:51:16 +00:00			`==========================`
			`Django 1.8.4 release notes`
			`==========================`

Added stub release notes for security releases. 2015-08-07 22:26:40 +00:00			`August 18, 2015`
Added stub release notes for 1.8.4 2015-07-10 06:51:16 +00:00
Added stub release notes for security releases. 2015-08-07 22:26:40 +00:00			`Django 1.8.4 fixes a security issue and several bugs in 1.8.3.`
Added stub release notes for 1.8.4 2015-07-10 06:51:16 +00:00
Fixed DoS possiblity in contrib.auth.views.logout() Thanks Florian Apolloner and Carl Meyer for review. This is a security fix. 2015-08-05 20:51:42 +00:00			Denial-of-service possibility in ``logout()`` view by filling session store
			`===========================================================================`

			`Previously, a session could be created when anonymously accessing the`
Refs #17209 -- Removed login/logout and password reset/change function-based views. Per deprecation timeline. 2017-09-02 23:24:18 +00:00			``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
Fixed DoS possiblity in contrib.auth.views.logout() Thanks Florian Apolloner and Carl Meyer for review. This is a security fix. 2015-08-05 20:51:42 +00:00			with :func:`~django.contrib.auth.decorators.login_required` as done in the
			`admin). This could allow an attacker to easily create many new session records`
			`by sending repeated requests, potentially filling up the session store or`
			`causing other users' session records to be evicted.`

			The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
Fixed #25489 -- Documented that SESSION_SAVE_EVERY_REQUEST doesn't create empty sessions. 2015-10-29 20:56:16 +00:00			`modified to no longer create empty session records, including when`
			:setting:`SESSION_SAVE_EVERY_REQUEST` is active.
Fixed DoS possiblity in contrib.auth.views.logout() Thanks Florian Apolloner and Carl Meyer for review. This is a security fix. 2015-08-05 20:51:42 +00:00
Added stub release notes for 1.8.4 2015-07-10 06:51:16 +00:00			`Bugfixes`
			`========`

Added release note for the UUID serialization backport Refs #25019. 2015-07-10 06:59:45 +00:00			`* Added the ability to serialize values from the newly added`
			:class:`~django.db.models.UUIDField` (:ticket:`25019`).
Fixed #25079 -- Added warning if both TEMPLATES and TEMPLATE_* settings are defined. Django ignores the value of the TEMPLATE_* settings if TEMPLATES is also set, which is confusing for users following older tutorials. This change adds a system check that warns if any of the TEMPLATE_* settings have changed from their defaults but the TEMPLATES dict is also non-empty. Removed the TEMPLATE_DIRS from the test settings file; this was marked for removal in 1.10 but no tests fail if it is removed now. 2015-07-11 17:15:38 +00:00
			* Added a system check warning if the old ``TEMPLATE_*`` settings are defined
			in addition to the new ``TEMPLATES`` setting.
Fixed #12768 -- Fixed QuerySet.raw() regression on FK with custom db_column. 2015-07-22 18:54:42 +00:00
			* Fixed ``QuerySet.raw()`` so ``InvalidQuery`` is not raised when using the
			``db_column`` name of a ``ForeignKey`` field with ``primary_key=True``
			(:ticket:`12768`).
Fixed #25176 -- Prevented TestCase.setUpTestData() exception from leaking transaction. 2015-07-26 16:42:21 +00:00
			* Prevented an exception in ``TestCase.setUpTestData()`` from leaking the
			transaction (:ticket:`25176`).
Fixed #25215 -- Solved reference to forms.HStoreField in declaration of HStoreField Correct test which was using the model field in a test form. 2015-08-04 00:47:58 +00:00
Fixed #25233 -- Fixed HStoreField.has_changed() handling of initial values. Thanks Simon Charette for review. 2015-08-07 17:06:56 +00:00			* Fixed ``has_changed()`` method in ``contrib.postgres.forms.HStoreField``
			(:ticket:`25215`, :ticket:`25233`).
Fixed #25231 -- Added recording of squashed migrations in the migrate command. Ensured squashed migrations are recorded as applied when the migrate command is run and all of the original migrations have been previously applied. 2015-08-07 01:12:00 +00:00
			* Fixed the recording of squashed migrations when running the ``migrate``
			command (:ticket:`25231`).
Fixed #25160 -- Moved unsaved model instance data loss check to Model.save() This mostly reverts 5643a3b51be338196d0b292d5626ad43648448d3 and 81e1a35c364e5353d2bf99368ad30a4184fbb653. Thanks Carl Meyer for review. 2015-07-24 11:51:40 +00:00
			* Moved the :ref:`unsaved model instance assignment data loss check
			<unsaved-model-instance-check-18>` to ``Model.save()`` to allow easier usage
			of in-memory models (:ticket:`25160`).
Fixed #25180 -- Prevented varchar_patterns_ops and text_patterns_ops indexes for ArrayField. 2015-08-08 12:44:27 +00:00
			* Prevented ``varchar_patterns_ops`` and ``text_patterns_ops`` indexes for
			``ArrayField`` (:ticket:`25180`).