<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Django 1.5.4 release notes — Django 1.6.7 documentation</title>
<link rel="stylesheet" href="../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.6.7',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="top" title="Django 1.6.7 documentation" href="../index.html" />
<link rel="up" title="Release notes" href="index.html" />
<link rel="next" title="Django 1.5.3 release notes" href="1.5.3.html" />
<link rel="prev" title="Django 1.5.5 release notes" href="1.5.5.html" />
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
if (!django_template_builtins) {
// templatebuiltins.js missing, do nothing.
return;
}
$(document).ready(function() {
// Hyperlink Django template tags and filters
var base = "../ref/templates/builtins.html";
if (base == "#") {
// Special case for builtins.html itself
base = "";
}
// Tags are keywords, class '.k'
$("div.highlight\\-html\\+django span.k").each(function(i, elem) {
var tagname = $(elem).text();
if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
var fragment = tagname.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
}
});
// Filters are functions, class '.nf'
$("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
var filtername = $(elem).text();
if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
var fragment = filtername.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
}
});
});
})(jQuery);
</script>
</head>
<body>
<div class="document">
<div id="custom-doc" class="yui-t6">
<div id="hd">
<h1><a href="../index.html">Django 1.6.7 documentation</a></h1>
<div id="global-nav">
<a title="Home page" href="../index.html">Home</a> |
<a title="Table of contents" href="../contents.html">Table of contents</a> |
<a title="Global index" href="../genindex.html">Index</a> |
<a title="Module index" href="../py-modindex.html">Modules</a>
</div>
<div class="nav">
« <a href="1.5.5.html" title="Django 1.5.5 release notes">previous</a>
|
<a href="index.html" title="Release notes" accesskey="U">up</a>
|
<a href="1.5.3.html" title="Django 1.5.3 release notes">next</a> »</div>
</div>
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<div class="yui-g" id="releases-1.5.4">
<div class="section" id="s-django-1-5-4-release-notes">
<span id="django-1-5-4-release-notes"></span><h1>Django 1.5.4 release notes<a class="headerlink" href="#django-1-5-4-release-notes" title="Permalink to this headline">¶</a></h1>
<p><em>September 14, 2013</em></p>
<p>This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
two security issues and one bug.</p>
<div class="section" id="s-denial-of-service-via-password-hashers">
<span id="denial-of-service-via-password-hashers"></span><h2>Denial-of-service via password hashers<a class="headerlink" href="#denial-of-service-via-password-hashers" title="Permalink to this headline">¶</a></h2>
<p>In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allowed a denial-of-service attack through
submission of bogus but extremely large passwords, tying up server
resources performing the (expensive, and increasingly expensive with
the length of the password) calculation of the corresponding hash.</p>
<p>As of 1.5.4, Django’s authentication framework imposes a 4096-byte
limit on passwords, and will fail authentication with any submitted
password of greater length.</p>
</div>
<div class="section" id="s-corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin">
<span id="corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin"></span><h2>Corrected usage of <a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><tt class="xref py py-func docutils literal"><span class="pre">sensitive_post_parameters()</span></tt></a> in <a class="reference internal" href="../topics/auth/index.html#module-django.contrib.auth" title="django.contrib.auth: Django's authentication framework."><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.auth</span></tt></a>’s admin<a class="headerlink" href="#corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin" title="Permalink to this headline">¶</a></h2>
<p>The decoration of the <tt class="docutils literal"><span class="pre">add_view</span></tt> and <tt class="docutils literal"><span class="pre">user_change_password</span></tt> user admin
views with <a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><tt class="xref py py-func docutils literal"><span class="pre">sensitive_post_parameters()</span></tt></a>
did not include <a class="reference internal" href="../ref/utils.html#django.utils.decorators.method_decorator" title="django.utils.decorators.method_decorator"><tt class="xref py py-func docutils literal"><span class="pre">method_decorator()</span></tt></a> (required
since the views are methods) resulting in the decorator not being properly
applied. This usage has been fixed and
<a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><tt class="xref py py-func docutils literal"><span class="pre">sensitive_post_parameters()</span></tt></a> will now
throw an exception if it’s improperly used.</p>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h3>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li>Fixed a bug that prevented a <tt class="docutils literal"><span class="pre">QuerySet</span></tt> that uses
<a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.prefetch_related" title="django.db.models.query.QuerySet.prefetch_related"><tt class="xref py py-meth docutils literal"><span class="pre">prefetch_related()</span></tt></a> from being pickled
and unpickled more than once (the second pickling attempt raised an
exception) (#21102).</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="yui-b" id="sidebar">
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../contents.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Django 1.5.4 release notes</a><ul>
<li><a class="reference internal" href="#denial-of-service-via-password-hashers">Denial-of-service via password hashers</a></li>
<li><a class="reference internal" href="#corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin">Corrected usage of <tt class="docutils literal"><span class="pre">sensitive_post_parameters()</span></tt> in <tt class="docutils literal"><span class="pre">django.contrib.auth</span></tt>’s admin</a><ul>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h3>Browse</h3>
<ul>
<li>Prev: <a href="1.5.5.html">Django 1.5.5 release notes</a></li>
<li>Next: <a href="1.5.3.html">Django 1.5.3 release notes</a></li>
</ul>
<h3>You are here:</h3>
<ul>
<li>
<a href="../index.html">Django 1.6.7 documentation</a>
<ul><li><a href="index.html">Release notes</a>
<ul><li>Django 1.5.4 release notes</li></ul>
</li></ul>
</li>
</ul>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/releases/1.5.4.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<h3>Last update:</h3>
<p class="topless">Sep 26, 2014</p>
</div>
</div>
<div id="ft">
<div class="nav">
« <a href="1.5.5.html" title="Django 1.5.5 release notes">previous</a>
|
<a href="index.html" title="Release notes" accesskey="U">up</a>
|
<a href="1.5.3.html" title="Django 1.5.3 release notes">next</a> »</div>
</div>
</div>
<div class="clearer"></div>
</div>
</body>
</html>
