1
0
mirror of https://github.com/django/django.git synced 2024-12-26 02:56:25 +00:00
django/docs/internals/deprecation.txt
Luke Plant 45c7f427ce Fixed #14445 - Use HMAC and constant-time comparison functions where needed.
All adhoc MAC applications have been updated to use HMAC, using SHA1 to
generate unique keys for each application based on the SECRET_KEY, which is
common practice for this situation. In all cases, backwards compatibility
with existing hashes has been maintained, aiming to phase this out as per
the normal deprecation process. In this way, under most normal
circumstances the old hashes will have expired (e.g. by session expiration
etc.) before they become invalid.

In the case of the messages framework and the cookie backend, which was
already using HMAC, there is the possibility of a backwards incompatibility
if the SECRET_KEY is shorter than the default 50 bytes, but the low
likelihood and low impact meant compatibility code was not worth it.

All known instances where tokens/hashes were compared using simple string
equality, which could potentially open timing based attacks, have also been
fixed using a constant-time comparison function.

There are no known practical attacks against the existing implementations,
so these security improvements will not be backported.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@14218 bcc190cf-cafb-0310-a4f2-bffc1f526a37
2010-10-14 20:54:30 +00:00

127 lines
5.9 KiB
Plaintext

===========================
Django Deprecation Timeline
===========================
This document outlines when various pieces of Django will be removed, following
their deprecation, as per the :ref:`Django deprecation policy
<internal-release-deprecation-policy>`
* 1.3
* ``AdminSite.root()``. This release will remove the old method for
hooking up admin URLs. This has been deprecated since the 1.1
release.
* Authentication backends need to define the boolean attributes
``supports_object_permissions`` and ``supports_anonymous_user``.
The old backend style is deprecated since the 1.2 release.
* The :mod:`django.contrib.gis.db.backend` module, including the
``SpatialBackend`` interface, is deprecated since the 1.2 release.
* 1.4
* ``CsrfResponseMiddleware``. This has been deprecated since the 1.2
release, in favour of the template tag method for inserting the CSRF
token. ``CsrfMiddleware``, which combines ``CsrfResponseMiddleware``
and ``CsrfViewMiddleware``, is also deprecated.
* The old imports for CSRF functionality (``django.contrib.csrf.*``),
which moved to core in 1.2, will be removed.
* ``SMTPConnection``. The 1.2 release deprecated the ``SMTPConnection``
class in favor of a generic E-mail backend API.
* The many to many SQL generation functions on the database backends
will be removed.
* The ability to use the ``DATABASE_*`` family of top-level settings to
define database connections will be removed.
* The ability to use shorthand notation to specify a database backend
(i.e., ``sqlite3`` instead of ``django.db.backends.sqlite3``) will be
removed.
* The ``get_db_prep_save``, ``get_db_prep_value`` and
``get_db_prep_lookup`` methods on Field were modified in 1.2 to support
multiple databases. In 1.4, the support functions that allow methods
with the old prototype to continue working will be removed.
* The ``Message`` model (in ``django.contrib.auth``), its related
manager in the ``User`` model (``user.message_set``), and the
associated methods (``user.message_set.create()`` and
``user.get_and_delete_messages()``), which have
been deprecated since the 1.2 release, will be removed. The
:doc:`messages framework </ref/contrib/messages>` should be used
instead.
* Authentication backends need to support the ``obj`` parameter for
permission checking. The ``supports_object_permissions`` variable
is not checked any longer and can be removed.
* Authentication backends need to support the ``AnonymousUser``
being passed to all methods dealing with permissions.
The ``supports_anonymous_user`` variable is not checked any
longer and can be removed.
* The ability to specify a callable template loader rather than a
``Loader`` class will be removed, as will the ``load_template_source``
functions that are included with the built in template loaders for
backwards compatibility. These have been deprecated since the 1.2
release.
* ``django.utils.translation.get_date_formats()`` and
``django.utils.translation.get_partial_date_formats()``. These
functions are replaced by the new locale aware formatting; use
``django.utils.formats.get_format()`` to get the appropriate
formats.
* In ``django.forms.fields``: ``DEFAULT_DATE_INPUT_FORMATS``,
``DEFAULT_TIME_INPUT_FORMATS`` and
``DEFAULT_DATETIME_INPUT_FORMATS``. Use
``django.utils.formats.get_format()`` to get the appropriate
formats.
* The ability to use a function-based test runners will be removed,
along with the ``django.test.simple.run_tests()`` test runner.
* The ``views.feed()`` view and ``feeds.Feed`` class in
``django.contrib.syndication`` have been deprecated since the 1.2
release. The class-based view ``views.Feed`` should be used instead.
* ``django.core.context_processors.auth``. This release will
remove the old method in favor of the new method in
``django.contrib.auth.context_processors.auth``. This has been
deprecated since the 1.2 release.
* The ``postgresql`` database backend has been deprecated in favor of
the ``postgresql_psycopg2`` backend.
* The ``no`` language code has been deprecated in favor of the ``nb``
language code.
* 1.5
* The ``mod_python`` request handler has been deprecated since the 1.3
release. The ``mod_wsgi`` handler should be used instead.
* The ``template`` attribute on :class:`~django.test.client.Response`
objects returned by the :ref:`test client <test-client>` has been
deprecated since the 1.3 release. The
:attr:`~django.test.client.Response.templates` attribute should be
used instead.
* The features of the :class:`django.test.simple.DjangoTestRunner`
(including fail-fast and Ctrl-C test termination) can now be provided
by the unittest-native :class:`TextTestRunner`. The
:class:`~django.test.simple.DjangoTestRunner` will be removed in
favor of using the unittest-native class.
* The undocumented function
:func:`django.contrib.formtools.utils.security_hash`
is deprecated, in favour of :func:`django.contrib.formtools.utils.form_hmac`
* 2.0
* ``django.views.defaults.shortcut()``. This function has been moved
to ``django.contrib.contenttypes.views.shortcut()`` as part of the
goal of removing all ``django.contrib`` references from the core
Django codebase. The old shortcut will be removed in the 2.0
release.