django/docs/releases/1.6.5.txt

64 lines
2.8 KiB
Plaintext
Raw Normal View History

2014-04-29 00:38:06 +00:00
==========================
Django 1.6.5 release notes
==========================
*May 14, 2014*
2014-04-29 00:38:06 +00:00
2014-05-15 11:11:29 +00:00
Django 1.6.5 fixes two security issues and several bugs in 1.6.4.
Issue: Caches may incorrectly be allowed to store and serve private data
========================================================================
2014-05-15 11:11:29 +00:00
In certain situations, Django may allow caches to store private data
related to a particular session and then serve that data to requests
2014-05-15 11:11:29 +00:00
with a different session, or no session at all. This can lead to
information disclosure and can be a vector for cache poisoning.
When using Django sessions, Django will set a ``Vary: Cookie`` header to
ensure caches do not serve cached data to requests from other sessions.
However, older versions of Internet Explorer (most likely only Internet
Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
2003) are unable to handle the ``Vary`` header in combination with many content
types. Therefore, Django would remove the header if the request was made by
Internet Explorer.
2014-05-15 11:11:29 +00:00
To remedy this, the special behavior for these older Internet Explorer versions
has been removed, and the ``Vary`` header is no longer stripped from the response.
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
2014-05-15 11:11:29 +00:00
requests with a ``Content-Disposition`` header have also been removed as they
were found to have similar issues.
Issue: Malformed redirect URLs from user input not correctly validated
======================================================================
2014-05-15 11:11:29 +00:00
The validation for redirects did not correctly validate some malformed URLs,
which are accepted by some browsers. This allows a user to be redirected to
an unsafe URL unexpectedly.
Django relies on user input in some cases (e.g.
:func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
``django.util.http.is_safe_url()``) did not correctly validate some malformed
URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
with more liberal URL parsing.
To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
to handle and correctly validate these malformed URLs.
2014-04-29 00:38:06 +00:00
Bugfixes
========
* Made the ``year_lookup_bounds_for_datetime_field`` Oracle backend method
Python 3 compatible (:ticket:`22551`).
* Fixed ``pgettext_lazy`` crash when receiving bytestring content on Python 2
(:ticket:`22565`).
* Fixed the SQL generated when filtering by a negated ``Q`` object that contains
a ``F`` object. (:ticket:`22429`).
* Avoided overwriting data fetched by ``select_related()`` in certain cases
which could cause minor performance regressions
(:ticket:`22508`).