| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- ==========================
- Django 1.5.4 release notes
- ==========================
- *September 14, 2013*
- This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
- two security issues and one bug.
- Denial-of-service via password hashers
- --------------------------------------
- In previous versions of Django, no limit was imposed on the plaintext
- length of a password. This allowed a denial-of-service attack through
- submission of bogus but extremely large passwords, tying up server
- resources performing the (expensive, and increasingly expensive with
- the length of the password) calculation of the corresponding hash.
- As of 1.5.4, Django's authentication framework imposes a 4096-byte
- limit on passwords, and will fail authentication with any submitted
- password of greater length.
- Corrected usage of :func:`~django.views.decorators.debug.sensitive_post_parameters` in :mod:`django.contrib.auth`’s admin
- -------------------------------------------------------------------------------------------------------------------------
- The decoration of the ``add_view`` and ``user_change_password`` user admin
- views with :func:`~django.views.decorators.debug.sensitive_post_parameters`
- did not include :func:`~django.utils.decorators.method_decorator` (required
- since the views are methods) resulting in the decorator not being properly
- applied. This usage has been fixed and
- :func:`~django.views.decorators.debug.sensitive_post_parameters` will now
- throw an exception if it's improperly used.
- Bugfixes
- ========
- * Fixed a bug that prevented a ``QuerySet`` that uses
- :meth:`~django.db.models.query.QuerySet.prefetch_related` from being pickled
- and unpickled more than once (the second pickling attempt raised an
- exception) (#21102).
|
