首頁 探索 說明
登入
CityApper
/
django
镜像来自 https://github.com/django/django
2
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: 10df5b7177
分支列表 標籤列表
django
/
docs
/
releases
/
1.1.3.txt

1.1.3.txt 2.2 KB
文件歷史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 
  1. ==========================
    2. 

  2. Django 1.1.3 release notes
    3. 

  3. ==========================
    4. 

  4. 

  5. Welcome to Django 1.1.3!
    6. 

  6. 

  7. This is the third "bugfix" release in the Django 1.1 series,
    8. 

  8. improving the stability and performance of the Django 1.1 codebase.
    9. 

  9. 

  10. With one exception, Django 1.1.3 maintains backwards compatibility
    11. 

  11. with Django 1.1.2. It also contains a number of fixes and other
    12. 

  12. improvements. Django 1.1.2 is a recommended upgrade for any
    13. 

  13. development or deployment currently using or targeting Django 1.1.
    14. 

  14. 

  15. For full details on the new features, backwards incompatibilities, and
    16. 

  16. deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
    17. 

  17. 

  18. Backwards incompatible changes
    19. 

  19. ==============================
    20. 

  20. 

  21. Restricted filters in admin interface
    22. 

  22. -------------------------------------
    23. 

  23. 

  24. The Django administrative interface, ``django.contrib.admin``, supports
    25. 

  25. filtering of displayed lists of objects by fields on the corresponding
    26. 

  26. models, including across database-level relationships. This is
    27. 

  27. implemented by passing lookup arguments in the querystring portion of
    28. 

  28. the URL, and options on the ModelAdmin class allow developers to
    29. 

  29. specify particular fields or relationships which will generate
    30. 

  30. automatic links for filtering.
    31. 

  31. 

  32. One historically-undocumented and -unofficially-supported feature has
    33. 

  33. been the ability for a user with sufficient knowledge of a model's
    34. 

  34. structure and the format of these lookup arguments to invent useful
    35. 

  35. new filters on the fly by manipulating the querystring.
    36. 

  36. 

  37. However, it has been demonstrated that this can be abused to gain
    38. 

  38. access to information outside of an admin user's permissions; for
    39. 

  39. example, an attacker with access to the admin and sufficient knowledge
    40. 

  40. of model structure and relations could construct query strings which --
    41. 

  41. with repeated use of regular-expression lookups supported by the
    42. 

  42. Django database API -- expose sensitive information such as users'
    43. 

  43. password hashes.
    44. 

  44. 

  45. To remedy this, ``django.contrib.admin`` will now validate that
    46. 

  46. querystring lookup arguments either specify only fields on the model
    47. 

  47. being viewed, or cross relations which have been explicitly
    48. 

  48. allowed by the application developer using the pre-existing
    49. 

  49. mechanism mentioned above. This is backwards-incompatible for any
    50. 

  50. users relying on the prior ability to insert arbitrary lookups.
    51.