mirror of
https://github.com/django/django.git
synced 2024-12-27 03:25:58 +00:00
46e2b9e059
This is a security fix.
58 lines
2.4 KiB
Plaintext
58 lines
2.4 KiB
Plaintext
===========================
|
|
Django 1.11.5 release notes
|
|
===========================
|
|
|
|
*September 5, 2017*
|
|
|
|
Django 1.11.5 fixes a security issue and several bugs in 1.11.4.
|
|
|
|
CVE-2017-12794: Possible XSS in traceback section of technical 500 debug page
|
|
=============================================================================
|
|
|
|
In older versions, HTML autoescaping was disabled in a portion of the template
|
|
for the technical 500 debug page. Given the right circumstances, this allowed
|
|
a cross-site scripting attack. This vulnerability shouldn't affect most
|
|
production sites since you shouldn't run with ``DEBUG = True`` (which makes
|
|
this page accessible) in your production settings.
|
|
|
|
Bugfixes
|
|
========
|
|
|
|
* Fixed GEOS version parsing if the version has a commit hash at the end (new
|
|
in GEOS 3.6.2) (:ticket:`28441`).
|
|
|
|
* Added compatibility for ``cx_Oracle`` 6 (:ticket:`28498`).
|
|
|
|
* Fixed select widget rendering when option values are tuples (:ticket:`28502`).
|
|
|
|
* Django 1.11 inadvertently changed the sequence and trigger naming scheme on
|
|
Oracle. This causes errors on INSERTs for some tables if
|
|
``'use_returning_into': False`` is in the ``OPTIONS`` part of ``DATABASES``.
|
|
The pre-1.11 naming scheme is now restored. Unfortunately, it necessarily
|
|
requires an update to Oracle tables created with Django 1.11.[1-4]. Use the
|
|
upgrade script in :ticket:`28451` comment 8 to update sequence and trigger
|
|
names to use the pre-1.11 naming scheme.
|
|
|
|
* Added POST request support to ``LogoutView``, for equivalence with the
|
|
function-based ``logout()`` view (:ticket:`28513`).
|
|
|
|
* Omitted ``pages_per_range`` from ``BrinIndex.deconstruct()`` if it's ``None``
|
|
(:ticket:`25809`).
|
|
|
|
* Fixed a regression where ``SelectDateWidget`` localized the years in the
|
|
select box (:ticket:`28530`).
|
|
|
|
* Fixed a regression in 1.11.4 where ``runserver`` crashed with non-Unicode
|
|
system encodings on Python 2 + Windows (:ticket:`28487`).
|
|
|
|
* Fixed a regression in Django 1.10 where changes to a ``ManyToManyField``
|
|
weren't logged in the admin change history (:ticket:`27998`) and prevented
|
|
``ManyToManyField`` initial data in model forms from being affected by
|
|
subsequent model changes (:ticket:`28543`).
|
|
|
|
* Fixed non-deterministic results or an ``AssertionError`` crash in some
|
|
queries with multiple joins (:ticket:`26522`).
|
|
|
|
* Fixed a regression in ``contrib.auth``'s ``login()`` and ``logout()`` views
|
|
where they ignored positional arguments (:ticket:`28550`).
|