mirror of https://github.com/django/django.git
31 lines
1.1 KiB
Plaintext
31 lines
1.1 KiB
Plaintext
==========================
|
|
Django 1.7.6 release notes
|
|
==========================
|
|
|
|
*March 9, 2015*
|
|
|
|
Django 1.7.6 fixes a security issue and several bugs in 1.7.5.
|
|
|
|
Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields``
|
|
========================================================================
|
|
|
|
The :attr:`ModelAdmin.readonly_fields
|
|
<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django
|
|
admin allows displaying model fields and model attributes. While the former
|
|
were correctly escaped, the latter were not. Thus untrusted content could be
|
|
injected into the admin, presenting an exploitation vector for XSS attacks.
|
|
|
|
In this vulnerability, every model attribute used in ``readonly_fields`` that
|
|
is not an actual model field (e.g. a :class:`property`) will **fail to be
|
|
escaped** even if that attribute is not marked as safe. In this release,
|
|
autoescaping is now correctly applied.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed crash when coercing ``ManyRelatedManager`` to a string
|
|
(:ticket:`24352`).
|
|
|
|
* Fixed a bug that prevented migrations from adding a foreign key constraint
|
|
when converting an existing field to a foreign key (:ticket:`24447`).
|