<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.5.2 release notes — Django 1.5.9 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.5.9', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="top" title="Django 1.5.9 documentation" href="../index.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.5.1 release notes" href="1.5.1.html" /> <link rel="prev" title="Django 1.5.3 release notes" href="1.5.3.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.5.9 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.5.3.html" title="Django 1.5.3 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.5.1.html" title="Django 1.5.1 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.5.2"> <div class="section" id="s-django-1-5-2-release-notes"> <span id="django-1-5-2-release-notes"></span><h1>Django 1.5.2 release notes<a class="headerlink" href="#django-1-5-2-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>August 13, 2013</em></p> <p>This is Django 1.5.2, a bugfix and security release for Django 1.5.</p> <div class="section" id="s-mitigated-possible-xss-attack-via-user-supplied-redirect-urls"> <span id="mitigated-possible-xss-attack-via-user-supplied-redirect-urls"></span><h2>Mitigated possible XSS attack via user-supplied redirect URLs<a class="headerlink" href="#mitigated-possible-xss-attack-via-user-supplied-redirect-urls" title="Permalink to this headline">¶</a></h2> <p>Django relies on user input in some cases (e.g. <a class="reference internal" href="../topics/auth/default.html#django.contrib.auth.views.login" title="django.contrib.auth.views.login"><tt class="xref py py-func docutils literal"><span class="pre">django.contrib.auth.views.login()</span></tt></a>, <a class="reference internal" href="../ref/contrib/comments/index.html#module-django.contrib.comments" title="django.contrib.comments: Django's comment framework"><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.comments</span></tt></a>, and <a class="reference internal" href="../topics/i18n/index.html"><em>i18n</em></a>) to redirect the user to an “on success” URL. The security checks for these redirects (namely <tt class="docutils literal"><span class="pre">django.util.http.is_safe_url()</span></tt>) didn’t check if the scheme is <tt class="docutils literal"><span class="pre">http(s)</span></tt> and as such allowed <tt class="docutils literal"><span class="pre">javascript:...</span></tt> URLs to be entered. If a developer relied on <tt class="docutils literal"><span class="pre">is_safe_url()</span></tt> to provide safe redirect targets and put such a URL into a link, he could suffer from a XSS attack. This bug doesn’t affect Django currently, since we only put this URL into the <tt class="docutils literal"><span class="pre">Location</span></tt> response header and browsers seem to ignore JavaScript there.</p> </div> <div class="section" id="s-xss-vulnerability-in-django-contrib-admin"> <span id="xss-vulnerability-in-django-contrib-admin"></span><h2>XSS vulnerability in <a class="reference internal" href="../ref/contrib/admin/index.html#module-django.contrib.admin" title="django.contrib.admin: Django's admin site."><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.admin</span></tt></a><a class="headerlink" href="#xss-vulnerability-in-django-contrib-admin" title="Permalink to this headline">¶</a></h2> <p>If a <a class="reference internal" href="../ref/models/fields.html#django.db.models.URLField" title="django.db.models.URLField"><tt class="xref py py-class docutils literal"><span class="pre">URLField</span></tt></a> is used in Django 1.5, it displays the current value of the field and a link to the target on the admin change page. The display routine of this widget was flawed and allowed for XSS.</p> <div class="section" id="s-bugfixes"> <span id="bugfixes"></span><h3>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h3> <ul class="simple"> <li>Fixed a crash with <a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.prefetch_related" title="django.db.models.query.QuerySet.prefetch_related"><tt class="xref py py-meth docutils literal"><span class="pre">prefetch_related()</span></tt></a> (#19607) as well as some <tt class="docutils literal"><span class="pre">pickle</span></tt> regressions with <tt class="docutils literal"><span class="pre">prefetch_related</span></tt> (#20157 and #20257).</li> <li>Fixed a regression in <a class="reference internal" href="../ref/contrib/gis/index.html#module-django.contrib.gis" title="django.contrib.gis: Geographic Information System (GIS) extensions for Django"><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.gis</span></tt></a> in the Google Map output on Python 3 (#20773).</li> <li>Made <tt class="docutils literal"><span class="pre">DjangoTestSuiteRunner.setup_databases</span></tt> properly handle aliases for the default database (#19940) and prevented <tt class="docutils literal"><span class="pre">teardown_databases</span></tt> from attempting to tear down aliases (#20681).</li> <li>Fixed the <tt class="docutils literal"><span class="pre">django.core.cache.backends.memcached.MemcachedCache</span></tt> backend’s <tt class="docutils literal"><span class="pre">get_many()</span></tt> method on Python 3 (#20722).</li> <li>Fixed <a class="reference internal" href="../ref/contrib/humanize.html#module-django.contrib.humanize" title="django.contrib.humanize: A set of Django template filters useful for adding a "human touch" to data."><tt class="xref py py-mod docutils literal"><span class="pre">django.contrib.humanize</span></tt></a> translation syntax errors. Affected languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).</li> <li>Added support for wheel packages (#19252).</li> <li>The CSRF token now rotates when a user logs in.</li> <li>Some Python 3 compatibility fixes including #20212 and #20025.</li> <li>Fixed some rare cases where <a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.get" title="django.db.models.query.QuerySet.get"><tt class="xref py py-meth docutils literal"><span class="pre">get()</span></tt></a> exceptions recursed infinitely (#20278).</li> <li><a class="reference internal" href="../ref/django-admin.html#django-admin-makemessages"><tt class="xref std std-djadmin docutils literal"><span class="pre">makemessages</span></tt></a> no longer crashes with <tt class="docutils literal"><span class="pre">UnicodeDecodeError</span></tt> (#20354).</li> <li>Fixed <tt class="docutils literal"><span class="pre">geojson</span></tt> detection with Spatialite.</li> <li><a class="reference internal" href="../topics/testing/overview.html#django.test.TestCase.assertContains" title="django.test.TestCase.assertContains"><tt class="xref py py-meth docutils literal"><span class="pre">assertContains()</span></tt></a> once again works with binary content (#20237).</li> <li>Fixed <a class="reference internal" href="../ref/models/fields.html#django.db.models.ManyToManyField" title="django.db.models.ManyToManyField"><tt class="xref py py-class docutils literal"><span class="pre">ManyToManyField</span></tt></a> if it has a unicode <tt class="docutils literal"><span class="pre">name</span></tt> parameter (#20207).</li> <li>Ensured that the WSGI request’s path is correctly based on the <tt class="docutils literal"><span class="pre">SCRIPT_NAME</span></tt> environment variable or the <a class="reference internal" href="../ref/settings.html#std:setting-FORCE_SCRIPT_NAME"><tt class="xref std std-setting docutils literal"><span class="pre">FORCE_SCRIPT_NAME</span></tt></a> setting, regardless of whether or not either has a trailing slash (#20169).</li> <li>Fixed an obscure bug with the <a class="reference internal" href="../topics/testing/overview.html#django.test.utils.override_settings" title="django.test.utils.override_settings"><tt class="xref py py-func docutils literal"><span class="pre">override_settings()</span></tt></a> decorator. If you hit an <tt class="docutils literal"><span class="pre">AttributeError:</span> <span class="pre">'Settings'</span> <span class="pre">object</span> <span class="pre">has</span> <span class="pre">no</span> <span class="pre">attribute</span> <span class="pre">'_original_allowed_hosts'</span></tt> exception, it’s probably fixed (#20636).</li> </ul> </div> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.5.2 release notes</a><ul> <li><a class="reference internal" href="#mitigated-possible-xss-attack-via-user-supplied-redirect-urls">Mitigated possible XSS attack via user-supplied redirect URLs</a></li> <li><a class="reference internal" href="#xss-vulnerability-in-django-contrib-admin">XSS vulnerability in <tt class="docutils literal"><span class="pre">django.contrib.admin</span></tt></a><ul> <li><a class="reference internal" href="#bugfixes">Bugfixes</a></li> </ul> </li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.5.3.html">Django 1.5.3 release notes</a></li> <li>Next: <a href="1.5.1.html">Django 1.5.1 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.5.9 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.5.2 release notes</li></ul> </li></ul> </li> </ul> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.5.2.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Aug 21, 2014</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.5.3.html" title="Django 1.5.3 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.5.1.html" title="Django 1.5.1 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>