1.2.14
by Raphaël Hertzog
Import upstream version 1.4.2 |
1 |
========================== |
2 |
Django 1.4.2 release notes |
|
3 |
========================== |
|
4 |
||
1.2.15
by Raphaël Hertzog
Import upstream version 1.4.3 |
5 |
*October 17, 2012* |
1.2.14
by Raphaël Hertzog
Import upstream version 1.4.2 |
6 |
|
7 |
This is the second security release in the Django 1.4 series. |
|
8 |
||
1.2.15
by Raphaël Hertzog
Import upstream version 1.4.3 |
9 |
Host header poisoning |
10 |
--------------------- |
|
11 |
||
12 |
Some parts of Django -- independent of end-user-written applications -- make |
|
13 |
use of full URLs, including domain name, which are generated from the HTTP Host |
|
14 |
header. Some attacks against this are beyond Django's ability to control, and |
|
15 |
require the web server to be properly configured; Django's documentation has |
|
16 |
for some time contained notes advising users on such configuration. |
|
17 |
||
18 |
Django's own built-in parsing of the Host header is, however, still vulnerable, |
|
19 |
as was reported to us recently. The Host header parsing in Django 1.3.3 and |
|
1.3.9
by Luke Faraone
Import upstream version 1.5.2 |
20 |
Django 1.4.1 -- specifically, ``django.http.HttpRequest.get_host()`` -- was |
1.2.15
by Raphaël Hertzog
Import upstream version 1.4.3 |
21 |
incorrectly handling username/password information in the header. Thus, for |
22 |
example, the following Host header would be accepted by Django when running on |
|
23 |
"validsite.com":: |
|
24 |
||
25 |
Host: validsite.com:random@evilsite.com |
|
26 |
||
27 |
Using this, an attacker can cause parts of Django -- particularly the |
|
28 |
password-reset mechanism -- to generate and display arbitrary URLs to users. |
|
29 |
||
1.3.9
by Luke Faraone
Import upstream version 1.5.2 |
30 |
To remedy this, the parsing in ``HttpRequest.get_host()`` is being modified; |
31 |
Host headers which contain potentially dangerous content (such as |
|
32 |
username/password pairs) now raise the exception |
|
33 |
:exc:`django.core.exceptions.SuspiciousOperation`. |
|
1.2.15
by Raphaël Hertzog
Import upstream version 1.4.3 |
34 |
|
35 |
Details of this issue were initially posted online as a `security advisory`_. |
|
36 |
||
37 |
.. _security advisory: https://www.djangoproject.com/weblog/2012/oct/17/security/ |
|
38 |
||
1.2.14
by Raphaël Hertzog
Import upstream version 1.4.2 |
39 |
Backwards incompatible changes |
40 |
============================== |
|
41 |
||
42 |
* The newly introduced :class:`~django.db.models.GenericIPAddressField` |
|
43 |
constructor arguments have been adapted to match those of all other model |
|
44 |
fields. The first two keyword arguments are now verbose_name and name. |
|
1.2.15
by Raphaël Hertzog
Import upstream version 1.4.3 |
45 |
|
46 |
Other bugfixes and changes |
|
47 |
========================== |
|
48 |
||
49 |
* Subclass HTMLParser only for appropriate Python versions (#18239). |
|
50 |
* Added batch_size argument to qs.bulk_create() (#17788). |
|
51 |
* Fixed a small regression in the admin filters where wrongly formatted dates passed as url parameters caused an unhandled ValidationError (#18530). |
|
52 |
* Fixed an endless loop bug when accessing permissions in templates (#18979) |
|
53 |
* Fixed some Python 2.5 compatibility issues |
|
54 |
* Fixed an issue with quoted filenames in Content-Disposition header (#19006) |
|
55 |
* Made the context option in ``trans`` and ``blocktrans`` tags accept literals wrapped in single quotes (#18881). |
|
56 |
* Numerous documentation improvements and fixes. |