<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang=""> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Django 1.7.9 release notes — Django 1.8.19 documentation</title> <link rel="stylesheet" href="../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../', VERSION: '1.8.19', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="top" title="Django 1.8.19 documentation" href="../contents.html" /> <link rel="up" title="Release notes" href="index.html" /> <link rel="next" title="Django 1.7.8 release notes" href="1.7.8.html" /> <link rel="prev" title="Django 1.7.10 release notes" href="1.7.10.html" /> <script type="text/javascript" src="../templatebuiltins.js"></script> <script type="text/javascript"> (function($) { if (!django_template_builtins) { // templatebuiltins.js missing, do nothing. return; } $(document).ready(function() { // Hyperlink Django template tags and filters var base = "../ref/templates/builtins.html"; if (base == "#") { // Special case for builtins.html itself base = ""; } // Tags are keywords, class '.k' $("div.highlight\\-html\\+django span.k").each(function(i, elem) { var tagname = $(elem).text(); if ($.inArray(tagname, django_template_builtins.ttags) != -1) { var fragment = tagname.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>"); } }); // Filters are functions, class '.nf' $("div.highlight\\-html\\+django span.nf").each(function(i, elem) { var filtername = $(elem).text(); if ($.inArray(filtername, django_template_builtins.tfilters) != -1) { var fragment = filtername.replace(/_/, '-'); $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>"); } }); }); })(jQuery); </script> </head> <body role="document"> <div class="document"> <div id="custom-doc" class="yui-t6"> <div id="hd"> <h1><a href="../index.html">Django 1.8.19 documentation</a></h1> <div id="global-nav"> <a title="Home page" href="../index.html">Home</a> | <a title="Table of contents" href="../contents.html">Table of contents</a> | <a title="Global index" href="../genindex.html">Index</a> | <a title="Module index" href="../py-modindex.html">Modules</a> </div> <div class="nav"> « <a href="1.7.10.html" title="Django 1.7.10 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.7.8.html" title="Django 1.7.8 release notes">next</a> »</div> </div> <div id="bd"> <div id="yui-main"> <div class="yui-b"> <div class="yui-g" id="releases-1.7.9"> <div class="section" id="s-django-1-7-9-release-notes"> <span id="django-1-7-9-release-notes"></span><h1>Django 1.7.9 release notes<a class="headerlink" href="#django-1-7-9-release-notes" title="Permalink to this headline">¶</a></h1> <p><em>July 8, 2015</em></p> <p>Django 1.7.9 fixes several security issues and bugs in 1.7.8.</p> <div class="section" id="s-denial-of-service-possibility-by-filling-session-store"> <span id="denial-of-service-possibility-by-filling-session-store"></span><h2>Denial-of-service possibility by filling session store<a class="headerlink" href="#denial-of-service-possibility-by-filling-session-store" title="Permalink to this headline">¶</a></h2> <p>In previous versions of Django, the session backends created a new empty record in the session storage anytime <code class="docutils literal"><span class="pre">request.session</span></code> was accessed and there was a session key provided in the request cookies that didn’t already have a session record. This could allow an attacker to easily create many new session records simply by sending repeated requests with unknown session keys, potentially filling up the session store or causing other users’ session records to be evicted.</p> <p>The built-in session backends now create a session record only if the session is actually modified; empty session records are not created. Thus this potential DoS is now only possible if the site chooses to expose a session-modifying view to anonymous users.</p> <p>As each built-in session backend was fixed separately (rather than a fix in the core sessions framework), maintainers of third-party session backends should check whether the same vulnerability is present in their backend and correct it if so.</p> </div> <div class="section" id="s-header-injection-possibility-since-validators-accept-newlines-in-input"> <span id="header-injection-possibility-since-validators-accept-newlines-in-input"></span><h2>Header injection possibility since validators accept newlines in input<a class="headerlink" href="#header-injection-possibility-since-validators-accept-newlines-in-input" title="Permalink to this headline">¶</a></h2> <p>Some of Django’s built-in validators (<a class="reference internal" href="../ref/validators.html#django.core.validators.EmailValidator" title="django.core.validators.EmailValidator"><code class="xref py py-class docutils literal"><span class="pre">EmailValidator</span></code></a>, most seriously) didn’t prohibit newline characters (due to the usage of <code class="docutils literal"><span class="pre">$</span></code> instead of <code class="docutils literal"><span class="pre">\Z</span></code> in the regular expressions). If you use values with newlines in HTTP response or email headers, you can suffer from header injection attacks. Django itself isn’t vulnerable because <a class="reference internal" href="../ref/request-response.html#django.http.HttpResponse" title="django.http.HttpResponse"><code class="xref py py-class docutils literal"><span class="pre">HttpResponse</span></code></a> and the mail sending utilities in <a class="reference internal" href="../topics/email.html#module-django.core.mail" title="django.core.mail: Helpers to easily send email."><code class="xref py py-mod docutils literal"><span class="pre">django.core.mail</span></code></a> prohibit newlines in HTTP and SMTP headers, respectively. While the validators have been fixed in Django, if you’re creating HTTP responses or email messages in other ways, it’s a good idea to ensure that those methods prohibit newlines as well. You might also want to validate that any existing data in your application doesn’t contain unexpected newlines.</p> <p><a class="reference internal" href="../ref/validators.html#django.core.validators.validate_ipv4_address" title="django.core.validators.validate_ipv4_address"><code class="xref py py-func docutils literal"><span class="pre">validate_ipv4_address()</span></code></a>, <a class="reference internal" href="../ref/validators.html#django.core.validators.validate_slug" title="django.core.validators.validate_slug"><code class="xref py py-func docutils literal"><span class="pre">validate_slug()</span></code></a>, and <a class="reference internal" href="../ref/validators.html#django.core.validators.URLValidator" title="django.core.validators.URLValidator"><code class="xref py py-class docutils literal"><span class="pre">URLValidator</span></code></a> are also affected, however, as of Django 1.6 the <code class="docutils literal"><span class="pre">GenericIPAddresseField</span></code>, <code class="docutils literal"><span class="pre">IPAddressField</span></code>, <code class="docutils literal"><span class="pre">SlugField</span></code>, and <code class="docutils literal"><span class="pre">URLField</span></code> form fields which use these validators all strip the input, so the possibility of newlines entering your data only exists if you are using these validators outside of the form fields.</p> <p>The undocumented, internally unused <code class="docutils literal"><span class="pre">validate_integer()</span></code> function is now stricter as it validates using a regular expression instead of simply casting the value using <code class="docutils literal"><span class="pre">int()</span></code> and checking if an exception was raised.</p> </div> <div class="section" id="s-bugfixes"> <span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="Permalink to this headline">¶</a></h2> <ul class="simple"> <li>Prevented the loss of <code class="docutils literal"><span class="pre">null</span></code>/<code class="docutils literal"><span class="pre">not</span> <span class="pre">null</span></code> column properties during field renaming of MySQL databases (<a class="reference external" href="https://code.djangoproject.com/ticket/24817">#24817</a>).</li> <li>Fixed <code class="docutils literal"><span class="pre">SimpleTestCase.assertRaisesMessage()</span></code> on Python 2.7.10 (<a class="reference external" href="https://code.djangoproject.com/ticket/24903">#24903</a>).</li> </ul> </div> </div> </div> </div> </div> <div class="yui-b" id="sidebar"> <div class="sphinxsidebar" role="navigation" aria-label="main navigation"> <div class="sphinxsidebarwrapper"> <h3><a href="../contents.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">Django 1.7.9 release notes</a><ul> <li><a class="reference internal" href="#denial-of-service-possibility-by-filling-session-store">Denial-of-service possibility by filling session store</a></li> <li><a class="reference internal" href="#header-injection-possibility-since-validators-accept-newlines-in-input">Header injection possibility since validators accept newlines in input</a></li> <li><a class="reference internal" href="#bugfixes">Bugfixes</a></li> </ul> </li> </ul> <h3>Browse</h3> <ul> <li>Prev: <a href="1.7.10.html">Django 1.7.10 release notes</a></li> <li>Next: <a href="1.7.8.html">Django 1.7.8 release notes</a></li> </ul> <h3>You are here:</h3> <ul> <li> <a href="../index.html">Django 1.8.19 documentation</a> <ul><li><a href="index.html">Release notes</a> <ul><li>Django 1.7.9 release notes</li></ul> </li></ul> </li> </ul> <div role="note" aria-label="source link"> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../_sources/releases/1.7.9.txt" rel="nofollow">Show Source</a></li> </ul> </div> <div id="searchbox" style="display: none" role="search"> <h3>Quick search</h3> <form class="search" action="../search.html" method="get"> <div><input type="text" name="q" /></div> <div><input type="submit" value="Go" /></div> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <h3>Last update:</h3> <p class="topless">Feb 12, 2019</p> </div> </div> <div id="ft"> <div class="nav"> « <a href="1.7.10.html" title="Django 1.7.10 release notes">previous</a> | <a href="index.html" title="Release notes" accesskey="U">up</a> | <a href="1.7.8.html" title="Django 1.7.8 release notes">next</a> »</div> </div> </div> <div class="clearer"></div> </div> </body> </html>