diff --git a/docs/releases/1.5.2.txt b/docs/releases/1.5.2.txt deleted file mode 100644 index 710f16555c..0000000000 --- a/docs/releases/1.5.2.txt +++ /dev/null @@ -1,62 +0,0 @@ -========================== -Django 1.5.2 release notes -========================== - -*August 13, 2013* - -This is Django 1.5.2, a bugfix and security release for Django 1.5. - -Mitigated possible XSS attack via user-supplied redirect URLs -------------------------------------------------------------- - -Django relies on user input in some cases (e.g. -:func:`django.contrib.auth.views.login`, :mod:`django.contrib.comments`, and -:doc:`i18n `) to redirect the user to an "on success" URL. -The security checks for these redirects (namely -``django.util.http.is_safe_url()``) didn't check if the scheme is ``http(s)`` -and as such allowed ``javascript:...`` URLs to be entered. If a developer -relied on ``is_safe_url()`` to provide safe redirect targets and put such a -URL into a link, he could suffer from a XSS attack. This bug doesn't affect -Django currently, since we only put this URL into the ``Location`` response -header and browsers seem to ignore JavaScript there. - -XSS vulnerability in :mod:`django.contrib.admin` ------------------------------------------------- - -If a :class:`~django.db.models.URLField` is used in Django 1.5, it displays the -current value of the field and a link to the target on the admin change page. -The display routine of this widget was flawed and allowed for XSS. - -Bugfixes -======== - -* Fixed a crash with :meth:`~django.db.models.query.QuerySet.prefetch_related` - (#19607) as well as some ``pickle`` regressions with ``prefetch_related`` - (#20157 and #20257). -* Fixed a regression in :mod:`django.contrib.gis` in the Google Map output on - Python 3 (#20773). -* Made ``DjangoTestSuiteRunner.setup_databases`` properly handle aliases for - the default database (#19940) and prevented ``teardown_databases`` from - attempting to tear down aliases (#20681). -* Fixed the ``django.core.cache.backends.memcached.MemcachedCache`` backend's - ``get_many()`` method on Python 3 (#20722). -* Fixed :mod:`django.contrib.humanize` translation syntax errors. Affected - languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695). -* Added support for wheel packages (#19252). -* The CSRF token now rotates when a user logs in. -* Some Python 3 compatibility fixes including #20212 and #20025. -* Fixed some rare cases where :meth:`~django.db.models.query.QuerySet.get` - exceptions recursed infinitely (#20278). -* :djadmin:`makemessages` no longer crashes with ``UnicodeDecodeError`` - (#20354). -* Fixed ``geojson`` detection with Spatialite. -* :meth:`~django.test.SimpleTestCase.assertContains` once again works with - binary content (#20237). -* Fixed :class:`~django.db.models.ManyToManyField` if it has a unicode ``name`` - parameter (#20207). -* Ensured that the WSGI request's path is correctly based on the - ``SCRIPT_NAME`` environment variable or the :setting:`FORCE_SCRIPT_NAME` - setting, regardless of whether or not either has a trailing slash (#20169). -* Fixed an obscure bug with the :func:`~django.test.utils.override_settings` - decorator. If you hit an ``AttributeError: 'Settings' object has no attribute - '_original_allowed_hosts'`` exception, it's probably fixed (#20636).