mirror of https://github.com/django/django.git
67 lines
2.6 KiB
Plaintext
67 lines
2.6 KiB
Plaintext
==========================
|
|
Django 1.8.7 release notes
|
|
==========================
|
|
|
|
*November 24, 2015*
|
|
|
|
Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
|
|
|
|
Additionally, Django's vendored version of six, ``django.utils.six``, has
|
|
been upgraded to the latest release (1.10.0).
|
|
|
|
Fixed settings leak possibility in ``date`` template filter
|
|
===========================================================
|
|
|
|
If an application allows users to specify an unvalidated format for dates and
|
|
passes this format to the :tfilter:`date` filter, e.g.
|
|
``{{ last_updated|date:user_date_format }}``, then a malicious user could
|
|
obtain any secret in the application's settings by specifying a settings key
|
|
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.
|
|
|
|
To remedy this, the underlying function used by the ``date`` template filter,
|
|
``django.utils.formats.get_format()``, now only allows accessing the date/time
|
|
formatting settings.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed a crash of the debug view during the autumn DST change when
|
|
:setting:`USE_TZ` is ``False`` and ``pytz`` is installed.
|
|
|
|
* Fixed a regression in 1.8.6 that caused database routers without an
|
|
``allow_migrate()`` method to crash (:ticket:`25686`).
|
|
|
|
* Fixed a regression in 1.8.6 by restoring the ability to use ``Manager``
|
|
objects for the ``queryset`` argument of ``ModelChoiceField``
|
|
(:ticket:`25683`).
|
|
|
|
* Fixed a regression in 1.8.6 that caused an application with South migrations
|
|
in the ``migrations`` directory to fail (:ticket:`25618`).
|
|
|
|
* Fixed a data loss possibility with :class:`~django.db.models.Prefetch` if
|
|
``to_attr`` is set to a ``ManyToManyField`` (:ticket:`25693`).
|
|
|
|
* Fixed a regression in 1.8 by making ``gettext()`` once again return UTF-8
|
|
bytestrings on Python 2 if the input is a bytestring (:ticket:`25720`).
|
|
|
|
* Fixed serialization of
|
|
:class:`~django.contrib.postgres.fields.DateRangeField` and
|
|
:class:`~django.contrib.postgres.fields.DateTimeRangeField` (:ticket:`24937`).
|
|
|
|
* Fixed the exact lookup of ``ArrayField`` (:ticket:`25666`).
|
|
|
|
* Fixed ``Model.refresh_from_db()`` updating of ``ForeignKey`` fields with
|
|
``on_delete=models.SET_NULL`` (:ticket:`25715`).
|
|
|
|
* Fixed a duplicate query regression in 1.8 on proxied model deletion
|
|
(:ticket:`25685`).
|
|
|
|
* Fixed ``set_FOO_order()`` crash when the ``ForeignKey`` of a model with
|
|
``order_with_respect_to`` references a model with a ``OneToOneField``
|
|
primary key (:ticket:`25786`).
|
|
|
|
* Fixed incorrect validation for ``PositiveIntegerField`` and
|
|
``PositiveSmallIntegerField`` on MySQL resulting in values greater than
|
|
4294967295 or 65535, respectively, passing validation and being silently
|
|
truncated by the database (:ticket:`25767`).
|