August 13, 2013
This is Django 1.5.2, a bugfix and security release for Django 1.5.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login()
, django.contrib.comments
, and
i18n) to redirect the user to an “on success” URL.
The security checks for these redirects (namely
django.utils.http.is_safe_url()
) didn’t check if the scheme is http(s)
and as such allowed javascript:...
URLs to be entered. If a developer
relied on is_safe_url()
to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn’t affect
Django currently, since we only put this URL into the Location
response
header and browsers seem to ignore JavaScript there.
django.contrib.admin
¶If a URLField
is used in Django 1.5, it displays the
current value of the field and a link to the target on the admin change page.
The display routine of this widget was flawed and allowed for XSS.
Fixed a crash with prefetch_related()
(#19607) as well as some pickle
regressions with prefetch_related
(#20157 and #20257).
Fixed a regression in django.contrib.gis
in the Google Map output on
Python 3 (#20773).
Made DjangoTestSuiteRunner.setup_databases
properly handle aliases for
the default database (#19940) and prevented teardown_databases
from
attempting to tear down aliases (#20681).
Fixed the django.core.cache.backends.memcached.MemcachedCache
backend’s
get_many()
method on Python 3 (#20722).
Fixed django.contrib.humanize
translation syntax errors. Affected
languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).
Added support for wheel packages (#19252).
The CSRF token now rotates when a user logs in.
Some Python 3 compatibility fixes including #20212 and #20025.
Fixed some rare cases where get()
exceptions recursed infinitely (#20278).
makemessages
no longer crashes with UnicodeDecodeError
(#20354).
Fixed geojson
detection with SpatiaLite.
assertContains()
once again works with
binary content (#20237).
Fixed ManyToManyField
if it has a unicode name
parameter (#20207).
Ensured that the WSGI request’s path is correctly based on the
SCRIPT_NAME
environment variable or the FORCE_SCRIPT_NAME
setting, regardless of whether or not either has a trailing slash (#20169).
Fixed an obscure bug with the override_settings()
decorator. If you hit an AttributeError: 'Settings' object has no attribute
'_original_allowed_hosts'
exception, it’s probably fixed (#20636).
Dec 25, 2023