1
0
mirror of https://github.com/django/django.git synced 2025-03-15 11:50:46 +00:00
django/docs/releases/1.8.4.txt
Tim Graham adc9fa8324 [1.9.x] Fixed #25489 -- Documented that SESSION_SAVE_EVERY_REQUEST doesn't create empty sessions.
Backport of abf5ccc29c45d53ec17541179bb5f0a75b28915d from master
2015-10-29 17:29:16 -04:00

51 lines
2.0 KiB
Plaintext

==========================
Django 1.8.4 release notes
==========================
*August 18, 2015*
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
Denial-of-service possibility in ``logout()`` view by filling session store
===========================================================================
Previously, a session could be created when anonymously accessing the
:func:`django.contrib.auth.views.logout` view (provided it wasn't decorated
with :func:`~django.contrib.auth.decorators.login_required` as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.
The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
modified to no longer create empty session records, including when
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.
Bugfixes
========
* Added the ability to serialize values from the newly added
:class:`~django.db.models.UUIDField` (:ticket:`25019`).
* Added a system check warning if the old ``TEMPLATE_*`` settings are defined
in addition to the new ``TEMPLATES`` setting.
* Fixed ``QuerySet.raw()`` so ``InvalidQuery`` is not raised when using the
``db_column`` name of a ``ForeignKey`` field with ``primary_key=True``
(:ticket:`12768`).
* Prevented an exception in ``TestCase.setUpTestData()`` from leaking the
transaction (:ticket:`25176`).
* Fixed ``has_changed()`` method in ``contrib.postgres.forms.HStoreField``
(:ticket:`25215`, :ticket:`25233`).
* Fixed the recording of squashed migrations when running the ``migrate``
command (:ticket:`25231`).
* Moved the :ref:`unsaved model instance assignment data loss check
<unsaved-model-instance-check-18>` to ``Model.save()`` to allow easier usage
of in-memory models (:ticket:`25160`).
* Prevented ``varchar_patterns_ops`` and ``text_patterns_ops`` indexes for
``ArrayField`` (:ticket:`25180`).