<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.8.7 release notes — Django 1.8.19 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.8.19', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="top" title="Django 1.8.19 documentation" href="../contents.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.8.6 release notes" href="1.8.6.html" /> <link rel="prev" title="Django 1.8.8 release notes" href="1.8.8.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body role="document"> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.8.19 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.8.8.html" title="Django 1.8.8 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.8.6.html" title="Django 1.8.6 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.8.7"> <div class="section" id="s-django-1-8-7-release-notes"> <span id="django-1-8-7-release-notes"></span><h1>Django 1.8.7 release notes<a class="headerlink" href="#django-1-8-7-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>November 24, 2015</em></p> <p>Django 1.8.7 fixes a security issue and several bugs in 1.8.6.</p> <p>Additionally, Django’s vendored version of six, <a class="reference internal" href="../topics/python3.html#module-django.utils.six" title="django.utils.six"><code class="xref py py-mod docutils literal"><span class="pre">django.utils.six</span></code></a>, has been upgraded to the latest release (1.10.0).</p> <div class="section" id="s-fixed-settings-leak-possibility-in-date-template-filter"> <span id="fixed-settings-leak-possibility-in-date-template-filter"></span><h2>Fixed settings leak possibility in <code class="docutils literal"><span class="pre">date</span></code> template filter<a class="headerlink" href="#fixed-settings-leak-possibility-in-date-template-filter" title="Permalink to this headline">¶</a></h2> <p>If an application allows users to specify an unvalidated format for dates and passes this format to the <a class="reference internal" href="../ref/templates/builtins.html#std:templatefilter-date"><code class="xref std std-tfilter docutils literal"><span class="pre">date</span></code></a> filter, e.g. <code class="docutils literal"><span class="pre">{{</span> <span class="pre">last_updated|date:user_date_format</span> <span class="pre">}}</span></code>, then a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. <code class="docutils literal"><span class="pre">"SECRET_KEY"</span></code> instead of <code class="docutils literal"><span class="pre">"j/m/Y"</span></code>.</p> <p>To remedy this, the underlying function used by the <code class="docutils literal"><span class="pre">date</span></code> template filter, <code class="docutils literal"><span class="pre">django.utils.formats.get_format()</span></code>, now only allows accessing the date/time formatting settings.</p> </div> <div class="section" id="s-bugfixes"> <span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2> <ul class="simple"> <li>Fixed a crash of the debug view during the autumn DST change when <a class="reference internal" href="../ref/settings.html#std:setting-USE_TZ"><code class="xref std std-setting docutils literal"><span class="pre">USE_TZ</span></code></a> is <code class="docutils literal"><span class="pre">False</span></code> and <code class="docutils literal"><span class="pre">pytz</span></code> is installed.</li> <li>Fixed a regression in 1.8.6 that caused database routers without an <code class="docutils literal"><span class="pre">allow_migrate()</span></code> method to crash (<a class="reference external" href="https://code.djangoproject.com/ticket/25686">#25686</a>).</li> <li>Fixed a regression in 1.8.6 by restoring the ability to use <code class="docutils literal"><span class="pre">Manager</span></code> objects for the <code class="docutils literal"><span class="pre">queryset</span></code> argument of <code class="docutils literal"><span class="pre">ModelChoiceField</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25683">#25683</a>).</li> <li>Fixed a regression in 1.8.6 that caused an application with South migrations in the <code class="docutils literal"><span class="pre">migrations</span></code> directory to fail (<a class="reference external" href="https://code.djangoproject.com/ticket/25618">#25618</a>).</li> <li>Fixed a data loss possibility with <a class="reference internal" href="../ref/models/querysets.html#django.db.models.Prefetch" title="django.db.models.Prefetch"><code class="xref py py-class docutils literal"><span class="pre">Prefetch</span></code></a> if <code class="docutils literal"><span class="pre">to_attr</span></code> is set to a <code class="docutils literal"><span class="pre">ManyToManyField</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25693">#25693</a>).</li> <li>Fixed a regression in 1.8 by making <code class="docutils literal"><span class="pre">gettext()</span></code> once again return UTF-8 bytestrings on Python 2 if the input is a bytestring (<a class="reference external" href="https://code.djangoproject.com/ticket/25720">#25720</a>).</li> <li>Fixed serialization of <a class="reference internal" href="../ref/contrib/postgres/fields.html#django.contrib.postgres.fields.DateRangeField" title="django.contrib.postgres.fields.DateRangeField"><code class="xref py py-class docutils literal"><span class="pre">DateRangeField</span></code></a> and <a class="reference internal" href="../ref/contrib/postgres/fields.html#django.contrib.postgres.fields.DateTimeRangeField" title="django.contrib.postgres.fields.DateTimeRangeField"><code class="xref py py-class docutils literal"><span class="pre">DateTimeRangeField</span></code></a> (<a class="reference external" href="https://code.djangoproject.com/ticket/24937">#24937</a>).</li> <li>Fixed the exact lookup of <code class="docutils literal"><span class="pre">ArrayField</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25666">#25666</a>).</li> <li>Fixed <code class="docutils literal"><span class="pre">Model.refresh_from_db()</span></code> updating of <code class="docutils literal"><span class="pre">ForeignKey</span></code> fields with <code class="docutils literal"><span class="pre">on_delete=models.SET_NULL</span></code> (<a class="reference external" href="https://code.djangoproject.com/ticket/25715">#25715</a>).</li> <li>Fixed a duplicate query regression in 1.8 on proxied model deletion (<a class="reference external" href="https://code.djangoproject.com/ticket/25685">#25685</a>).</li> <li>Fixed <code class="docutils literal"><span class="pre">set_FOO_order()</span></code> crash when the <code class="docutils literal"><span class="pre">ForeignKey</span></code> of a model with <code class="docutils literal"><span class="pre">order_with_respect_to</span></code> references a model with a <code class="docutils literal"><span class="pre">OneToOneField</span></code> primary key (<a class="reference external" href="https://code.djangoproject.com/ticket/25786">#25786</a>).</li> <li>Fixed incorrect validation for <code class="docutils literal"><span class="pre">PositiveIntegerField</span></code> and <code class="docutils literal"><span class="pre">PositiveSmallIntegerField</span></code> on MySQL resulting in values greater than 4294967295 or 65535, respectively, passing validation and being silently truncated by the database (<a class="reference external" href="https://code.djangoproject.com/ticket/25767">#25767</a>).</li> </ul> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.8.7 release notes</a><ul> <li><a class="reference internal" href="#fixed-settings-leak-possibility-in-date-template-filter">Fixed settings leak possibility in <code class="docutils literal"><span class="pre">date</span></code> template filter</a></li> <li><a class="reference internal" href="#bugfixes">Bugfixes</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.8.8.html">Django 1.8.8 release notes</a></li> <li>Next: <a href="1.8.6.html">Django 1.8.6 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.8.19 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.8.7 release notes</li></ul> </li></ul> </li> </ul> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.8.7.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <div><input type="text" name="q" /></div> <div><input type="submit" value="Go" /></div> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Mar 10, 2018</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.8.8.html" title="Django 1.8.8 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.8.6.html" title="Django 1.8.6 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>