"Fossies" - the Fresh Open Source Software Archive

Member "Django-1.11.25/docs/releases/1.10.3.txt" (1 Oct 2019, 3107 Bytes) of package /linux/www/Django-1.11.25.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 ===========================
    2 Django 1.10.3 release notes
    3 ===========================
    4 
    5 *November 1, 2016*
    6 
    7 Django 1.10.3 fixes two security issues and several bugs in 1.10.2.
    8 
    9 User with hardcoded password created when running tests on Oracle
   10 =================================================================
   11 
   12 When running tests with an Oracle database, Django creates a temporary database
   13 user. In older versions, if a password isn't manually specified in the database
   14 settings ``TEST`` dictionary, a hardcoded password is used. This could allow
   15 an attacker with network access to the database server to connect.
   16 
   17 This user is usually dropped after the test suite completes, but not when using
   18 the ``manage.py test --keepdb`` option or if the user has an active session
   19 (such as an attacker's connection).
   20 
   21 A randomly generated password is now used for each test run.
   22 
   23 DNS rebinding vulnerability when ``DEBUG=True``
   24 ===============================================
   25 
   26 Older versions of Django don't validate the ``Host`` header against
   27 ``settings.ALLOWED_HOSTS`` when ``settings.DEBUG=True``. This makes them
   28 vulnerable to a `DNS rebinding attack
   29 <http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>`_.
   30 
   31 While Django doesn't ship a module that allows remote code execution, this is
   32 at least a cross-site scripting vector, which could be quite serious if
   33 developers load a copy of the production database in development or connect to
   34 some production services for which there's no development instance, for
   35 example. If a project uses a package like the ``django-debug-toolbar``, then
   36 the attacker could execute arbitrary SQL, which could be especially bad if the
   37 developers connect to the database with a superuser account.
   38 
   39 ``settings.ALLOWED_HOSTS`` is now validated regardless of ``DEBUG``. For
   40 convenience, if ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, the following
   41 variations of localhost are allowed ``['localhost', '127.0.0.1', '::1']``. If
   42 your local settings file has your production ``ALLOWED_HOSTS`` value, you must
   43 now omit it to get those fallback values.
   44 
   45 Bugfixes
   46 ========
   47 
   48 * Allowed ``User.is_authenticated`` and ``User.is_anonymous`` properties to be
   49   tested for ``set`` membership (:ticket:`27309`).
   50 
   51 * Fixed a performance regression when running ``migrate`` in projects
   52   with ``RenameModel`` operations (:ticket:`27279`).
   53 
   54 * Added ``model_name`` to the ``allow_migrate()`` calls in ``makemigrations``
   55   (:ticket:`27200`).
   56 
   57 * Made the ``JavaScriptCatalog`` view respect the ``packages`` argument;
   58   previously it was ignored (:ticket:`27374`).
   59 
   60 * Fixed ``QuerySet.bulk_create()`` on PostgreSQL when the number of objects is
   61   a multiple plus one of ``batch_size`` (:ticket:`27385`).
   62 
   63 * Prevented ``i18n_patterns()`` from using too much of the URL as the language
   64   to fix a use case for ``prefix_default_language=False`` (:ticket:`27063`).
   65 
   66 * Replaced a possibly incorrect redirect from ``SessionMiddleware`` when a
   67   session is destroyed in a concurrent request with a ``SuspiciousOperation``
   68   to indicate that the request can't be completed (:ticket:`27363`).