ホーム エクスプローラ ヘルプ
サインイン
CityApper
/
django
同期ミラー https://github.com/django/django
2
0
フォーク 0
ファイル 課題 0 Wiki
ツリー: 8f4877c89d
ブランチ タグ
django
/
docs
/
releases
/
1.6.5.txt

1.6.5.txt 2.8 KB
履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. ==========================
    2. 

  2. Django 1.6.5 release notes
    3. 

  3. ==========================
    4. 

  4. 

  5. *May 14, 2014*
    6. 

  6. 

  7. Django 1.6.5 fixes two security issues and several bugs in 1.6.4.
    8. 

  8. 

  9. Issue: Caches may incorrectly be allowed to store and serve private data
    10. 

  10. ========================================================================
    11. 

  11. 

  12. In certain situations, Django may allow caches to store private data
    13. 

  13. related to a particular session and then serve that data to requests
    14. 

  14. with a different session, or no session at all. This can lead to
    15. 

  15. information disclosure and can be a vector for cache poisoning.
    16. 

  16. 

  17. When using Django sessions, Django will set a ``Vary: Cookie`` header to
    18. 

  18. ensure caches do not serve cached data to requests from other sessions.
    19. 

  19. However, older versions of Internet Explorer (most likely only Internet
    20. 

  20. Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
    21. 

  21. 2003) are unable to handle the ``Vary`` header in combination with many content
    22. 

  22. types. Therefore, Django would remove the header if the request was made by
    23. 

  23. Internet Explorer.
    24. 

  24. 

  25. To remedy this, the special behavior for these older Internet Explorer versions
    26. 

  26. has been removed, and the ``Vary`` header is no longer stripped from the response.
    27. 

  27. In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
    28. 

  28. requests with a ``Content-Disposition`` header have also been removed as they
    29. 

  29. were found to have similar issues.
    30. 

  30. 

  31. Issue: Malformed redirect URLs from user input not correctly validated
    32. 

  32. ======================================================================
    33. 

  33. 

  34. The validation for redirects did not correctly validate some malformed URLs,
    35. 

  35. which are accepted by some browsers. This allows a user to be redirected to
    36. 

  36. an unsafe URL unexpectedly.
    37. 

  37. 

  38. Django relies on user input in some cases (e.g.
    39. 

  39. :func:`django.contrib.auth.views.login`, ``django.contrib.comments``, and
    40. 

  40. :doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
    41. 

  41. The security checks for these redirects (namely
    42. 

  42. ``django.util.http.is_safe_url()``) did not correctly validate some malformed
    43. 

  43. URLs, such as `http:\\\\\\djangoproject.com`, which are accepted by some browsers
    44. 

  44. with more liberal URL parsing.
    45. 

  45. 

  46. To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
    47. 

  47. to handle and correctly validate these malformed URLs.
    48. 

  48. 

  49. Bugfixes
    50. 

  50. ========
    51. 

  51. 

  52. * Made the ``year_lookup_bounds_for_datetime_field`` Oracle backend method
    53. 

  53.   Python 3 compatible (:ticket:`22551`).
    54. 

  54. 

  55. * Fixed ``pgettext_lazy`` crash when receiving bytestring content on Python 2
    56. 

  56.   (:ticket:`22565`).
    57. 

  57. 

  58. * Fixed the SQL generated when filtering by a negated ``Q`` object that contains
    59. 

  59.   a ``F`` object. (:ticket:`22429`).
    60. 

  60. 

  61. * Avoided overwriting data fetched by ``select_related()`` in certain cases
    62. 

  62.   which could cause minor performance regressions
    63. 

  63.   (:ticket:`22508`).
    64.