mirror of
				https://github.com/django/django.git
				synced 2025-10-25 06:36:07 +00:00 
			
		
		
		
	Cleaned up 1.5.4/1.4.8 release notes
This commit is contained in:
		| @@ -117,6 +117,8 @@ Filtering error reports | |||||||
| Filtering sensitive information | Filtering sensitive information | ||||||
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||||
|  |  | ||||||
|  | .. currentmodule:: django.views.decorators.debug | ||||||
|  |  | ||||||
| Error reports are really helpful for debugging errors, so it is generally | Error reports are really helpful for debugging errors, so it is generally | ||||||
| useful to record as much relevant information about those errors as possible. | useful to record as much relevant information about those errors as possible. | ||||||
| For example, by default Django records the `full traceback`_ for the | For example, by default Django records the `full traceback`_ for the | ||||||
| @@ -240,11 +242,13 @@ attribute:: | |||||||
|             request.exception_reporter_filter = CustomExceptionReporterFilter() |             request.exception_reporter_filter = CustomExceptionReporterFilter() | ||||||
|         ... |         ... | ||||||
|  |  | ||||||
|  | .. currentmodule:: django.views.debug | ||||||
|  |  | ||||||
| Your custom filter class needs to inherit from | Your custom filter class needs to inherit from | ||||||
| :class:`django.views.debug.SafeExceptionReporterFilter` and may override the | :class:`django.views.debug.SafeExceptionReporterFilter` and may override the | ||||||
| following methods: | following methods: | ||||||
|  |  | ||||||
| .. class:: django.views.debug.SafeExceptionReporterFilter | .. class:: SafeExceptionReporterFilter | ||||||
|  |  | ||||||
| .. method:: SafeExceptionReporterFilter.is_active(self, request) | .. method:: SafeExceptionReporterFilter.is_active(self, request) | ||||||
|  |  | ||||||
|   | |||||||
| @@ -337,9 +337,10 @@ docs </ref/contrib/csrf>` for more information. | |||||||
| Error report filtering | Error report filtering | ||||||
| ~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~ | ||||||
|  |  | ||||||
| Two new function decorators, :func:`sensitive_variables` and | We added two function decorators, | ||||||
| :func:`sensitive_post_parameters`, were added to allow designating the | :func:`~django.views.decorators.debug.sensitive_variables` and | ||||||
| local variables and POST parameters which may contain sensitive | :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow | ||||||
|  | designating the local variables and POST parameters that may contain sensitive | ||||||
| information and should be filtered out of error reports. | information and should be filtered out of error reports. | ||||||
|  |  | ||||||
| All POST parameters are now systematically filtered out of error reports for | All POST parameters are now systematically filtered out of error reports for | ||||||
|   | |||||||
| @@ -375,9 +375,10 @@ docs </ref/contrib/csrf>` for more information. | |||||||
| Error report filtering | Error report filtering | ||||||
| ~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~ | ||||||
|  |  | ||||||
| Two new function decorators, :func:`sensitive_variables` and | We added two function decorators, | ||||||
| :func:`sensitive_post_parameters`, were added to allow designating the | :func:`~django.views.decorators.debug.sensitive_variables` and | ||||||
| local variables and POST parameters which may contain sensitive | :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow | ||||||
|  | designating the local variables and POST parameters that may contain sensitive | ||||||
| information and should be filtered out of error reports. | information and should be filtered out of error reports. | ||||||
|  |  | ||||||
| All POST parameters are now systematically filtered out of error reports for | All POST parameters are now systematically filtered out of error reports for | ||||||
|   | |||||||
							
								
								
									
										32
									
								
								docs/releases/1.4.8.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								docs/releases/1.4.8.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | |||||||
|  | ========================== | ||||||
|  | Django 1.4.8 release notes | ||||||
|  | ========================== | ||||||
|  |  | ||||||
|  | *September 14, 2013* | ||||||
|  |  | ||||||
|  | Django 1.4.8 fixes two security issues present in previous Django releases in | ||||||
|  | the 1.4 series. | ||||||
|  |  | ||||||
|  | Denial-of-service via password hashers | ||||||
|  | -------------------------------------- | ||||||
|  |  | ||||||
|  | In previous versions of Django, no limit was imposed on the plaintext | ||||||
|  | length of a password. This allowed a denial-of-service attack through | ||||||
|  | submission of bogus but extremely large passwords, tying up server | ||||||
|  | resources performing the (expensive, and increasingly expensive with | ||||||
|  | the length of the password) calculation of the corresponding hash. | ||||||
|  |  | ||||||
|  | As of 1.4.8, Django's authentication framework imposes a 4096-byte | ||||||
|  | limit on passwords and will fail authentication with any submitted | ||||||
|  | password of greater length. | ||||||
|  |  | ||||||
|  | Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin | ||||||
|  | ------------------------------------------------------------------------------------------------------------------------- | ||||||
|  |  | ||||||
|  | The decoration of the ``add_view`` and ``user_change_password`` user admin | ||||||
|  | views with :func:`~django.views.decorators.debug.sensitive_post_parameters` | ||||||
|  | did not include :func:`~django.utils.decorators.method_decorator` (required | ||||||
|  | since the views are methods) resulting in the decorator not being properly | ||||||
|  | applied. This usage has been fixed and | ||||||
|  | :func:`~django.views.decorators.debug.sensitive_post_parameters` will now | ||||||
|  | throw an exception if it's improperly used. | ||||||
| @@ -507,10 +507,11 @@ docs </ref/contrib/csrf>` for more information. | |||||||
| Error report filtering | Error report filtering | ||||||
| ~~~~~~~~~~~~~~~~~~~~~~ | ~~~~~~~~~~~~~~~~~~~~~~ | ||||||
|  |  | ||||||
| We added two function decorators, :func:`sensitive_variables` and | We added two function decorators, | ||||||
| :func:`sensitive_post_parameters`, to allow designating the local variables | :func:`~django.views.decorators.debug.sensitive_variables` and | ||||||
| and POST parameters that may contain sensitive information and should be | :func:`~django.views.decorators.debug.sensitive_post_parameters`, to allow | ||||||
| filtered out of error reports. | designating the local variables and POST parameters that may contain sensitive | ||||||
|  | information and should be filtered out of error reports. | ||||||
|  |  | ||||||
| All POST parameters are now systematically filtered out of error reports for | All POST parameters are now systematically filtered out of error reports for | ||||||
| certain views (``login``, ``password_reset_confirm``, ``password_change`` and | certain views (``login``, ``password_reset_confirm``, ``password_change`` and | ||||||
|   | |||||||
							
								
								
									
										40
									
								
								docs/releases/1.5.4.txt
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								docs/releases/1.5.4.txt
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,40 @@ | |||||||
|  | ========================== | ||||||
|  | Django 1.5.4 release notes | ||||||
|  | ========================== | ||||||
|  |  | ||||||
|  | *September 14, 2013* | ||||||
|  |  | ||||||
|  | This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses | ||||||
|  | two security issues and one bug. | ||||||
|  |  | ||||||
|  | Denial-of-service via password hashers | ||||||
|  | -------------------------------------- | ||||||
|  |  | ||||||
|  | In previous versions of Django, no limit was imposed on the plaintext | ||||||
|  | length of a password. This allowed a denial-of-service attack through | ||||||
|  | submission of bogus but extremely large passwords, tying up server | ||||||
|  | resources performing the (expensive, and increasingly expensive with | ||||||
|  | the length of the password) calculation of the corresponding hash. | ||||||
|  |  | ||||||
|  | As of 1.5.4, Django's authentication framework imposes a 4096-byte | ||||||
|  | limit on passwords, and will fail authentication with any submitted | ||||||
|  | password of greater length. | ||||||
|  |  | ||||||
|  | Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin | ||||||
|  | ------------------------------------------------------------------------------------------------------------------------- | ||||||
|  |  | ||||||
|  | The decoration of the ``add_view`` and ``user_change_password`` user admin | ||||||
|  | views with :func:`~django.views.decorators.debug.sensitive_post_parameters` | ||||||
|  | did not include :func:`~django.utils.decorators.method_decorator` (required | ||||||
|  | since the views are methods) resulting in the decorator not being properly | ||||||
|  | applied. This usage has been fixed and | ||||||
|  | :func:`~django.views.decorators.debug.sensitive_post_parameters` will now | ||||||
|  | throw an exception if it's improperly used. | ||||||
|  |  | ||||||
|  | Bugfixes | ||||||
|  | ======== | ||||||
|  |  | ||||||
|  | * Fixed a bug that prevented a ``QuerySet`` that uses | ||||||
|  |   :meth:`~django.db.models.query.QuerySet.prefetch_related` from being pickled | ||||||
|  |   and unpickled more than once (the second pickling attempt raised an | ||||||
|  |   exception) (#21102). | ||||||
| @@ -780,6 +780,22 @@ as JSON requires string keys, you will likely run into problems if you are | |||||||
| using non-string keys in ``request.session``. See the | using non-string keys in ``request.session``. See the | ||||||
| :ref:`session_serialization` documentation for more details. | :ref:`session_serialization` documentation for more details. | ||||||
|  |  | ||||||
|  | 4096-byte limit on passwords | ||||||
|  | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||||||
|  |  | ||||||
|  | .. note:: | ||||||
|  |     This behavior was also added in the Django 1.5.4 and 1.4.8 security | ||||||
|  |     releases. | ||||||
|  |  | ||||||
|  | Historically, Django has imposed no length limit on plaintext | ||||||
|  | passwords. This enables a denial-of-service attack through submission | ||||||
|  | of bogus but extremely large passwords, tying up server resources | ||||||
|  | performing the (expensive, and increasingly expensive with the length | ||||||
|  | of the password) calculation of the corresponding hash. | ||||||
|  |  | ||||||
|  | Django now imposes a 4096-byte limit on password length, and will fail | ||||||
|  | authentication with any submitted password of greater length. | ||||||
|  |  | ||||||
| Miscellaneous | Miscellaneous | ||||||
| ~~~~~~~~~~~~~ | ~~~~~~~~~~~~~ | ||||||
|  |  | ||||||
|   | |||||||
| @@ -402,14 +402,6 @@ Miscellaneous | |||||||
|   Rationale behind this is removal of dependency of non-contrib code on |   Rationale behind this is removal of dependency of non-contrib code on | ||||||
|   contrib applications. |   contrib applications. | ||||||
|  |  | ||||||
| * Passwords longer than 4096 bytes in length will no longer work and will |  | ||||||
|   instead raise a ``ValueError`` when using the hasher directory or the |  | ||||||
|   built in forms shipped with ``django.contrib.auth`` will fail validation. |  | ||||||
|  |  | ||||||
|   The rationale behind this is a possibility of a Denial of Service attack when |  | ||||||
|   using a slow password hasher, such as the default PBKDF2, and sending very |  | ||||||
|   large passwords. |  | ||||||
|  |  | ||||||
| Features deprecated in 1.7 | Features deprecated in 1.7 | ||||||
| ========================== | ========================== | ||||||
|  |  | ||||||
|   | |||||||
| @@ -36,6 +36,7 @@ Final releases | |||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 1 |    :maxdepth: 1 | ||||||
|  |  | ||||||
|  |    1.5.4 | ||||||
|    1.5.3 |    1.5.3 | ||||||
|    1.5.2 |    1.5.2 | ||||||
|    1.5.1 |    1.5.1 | ||||||
| @@ -46,6 +47,7 @@ Final releases | |||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 1 |    :maxdepth: 1 | ||||||
|  |  | ||||||
|  |    1.4.8 | ||||||
|    1.4.7 |    1.4.7 | ||||||
|    1.4.6 |    1.4.6 | ||||||
|    1.4.5 |    1.4.5 | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user