Django 1.8.7 release notes
November 24, 2015
Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
Additionally, Django’s vendored version of six, django.utils.six
, has been upgraded to the latest release (1.10.0).
Fixed settings leak possibility in date
template filter
If an application allows users to specify an unvalidated format for dates and passes this format to the date
filter, e.g. {{ last_updated|date:user_date_format }}
, then a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY"
instead of "j/m/Y"
.
To remedy this, the underlying function used by the date
template filter, django.utils.formats.get_format()
, now only allows accessing the date/time formatting settings.
Bugfixes
- Fixed a crash of the debug view during the autumn DST change when
USE_TZ
isFalse
andpytz
is installed. - Fixed a regression in 1.8.6 that caused database routers without an
allow_migrate()
method to crash (#25686). - Fixed a regression in 1.8.6 by restoring the ability to use
Manager
objects for thequeryset
argument ofModelChoiceField
(#25683). - Fixed a regression in 1.8.6 that caused an application with South migrations in the
migrations
directory to fail (#25618). - Fixed a data loss possibility with
Prefetch
ifto_attr
is set to aManyToManyField
(#25693). - Fixed a regression in 1.8 by making
gettext()
once again return UTF-8 bytestrings on Python 2 if the input is a bytestring (#25720). - Fixed serialization of
DateRangeField
andDateTimeRangeField
(#24937). - Fixed the exact lookup of
ArrayField
(#25666). - Fixed
Model.refresh_from_db()
updating ofForeignKey
fields withon_delete=models.SET_NULL
(#25715). - Fixed a duplicate query regression in 1.8 on proxied model deletion (#25685).
- Fixed
set_FOO_order()
crash when theForeignKey
of a model withorder_with_respect_to
references a model with aOneToOneField
primary key (#25786). - Fixed incorrect validation for
PositiveIntegerField
andPositiveSmallIntegerField
on MySQL resulting in values greater than 4294967295 or 65535, respectively, passing validation and being silently truncated by the database (#25767).