November 24, 2015
Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
Additionally, Django's vendored version of six, django.utils.six
, has
been upgraded to the latest release (1.10.0).
date
template filter¶If an application allows users to specify an unvalidated format for dates and
passes this format to the date
filter, e.g.
{{ last_updated|date:user_date_format }}
, then a malicious user could
obtain any secret in the application's settings by specifying a settings key
instead of a date format. e.g. "SECRET_KEY"
instead of "j/m/Y"
.
To remedy this, the underlying function used by the date
template filter,
django.utils.formats.get_format()
, now only allows accessing the date/time
formatting settings.
USE_TZ
is False
and pytz
is installed.allow_migrate()
method to crash (#25686).Manager
objects for the queryset
argument of ModelChoiceField
(#25683).migrations
directory to fail (#25618).Prefetch
if
to_attr
is set to a ManyToManyField
(#25693).gettext()
once again return UTF-8
bytestrings on Python 2 if the input is a bytestring (#25720).DateRangeField
and
DateTimeRangeField
(#24937).ArrayField
(#25666).Model.refresh_from_db()
updating of ForeignKey
fields with
on_delete=models.SET_NULL
(#25715).set_FOO_order()
crash when the ForeignKey
of a model with
order_with_respect_to
references a model with a OneToOneField
primary key (#25786).PositiveIntegerField
and
PositiveSmallIntegerField
on MySQL resulting in values greater than
4294967295 or 65535, respectively, passing validation and being silently
truncated by the database (#25767).9月 22, 2023