Django

Latest version: v5.0.3

Safety actively analyzes 613666 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 23 of 52

2.1.9

Not secure
============================

*June 3, 2019*

Django 2.1.9 fixes security issues in 2.1.8.

CVE-2019-12308: AdminURLFieldWidget XSS
---------------------------------------

The clickable "Current URL" link generated by ``AdminURLFieldWidget`` displayed
the provided value without validating it as a safe URL. Thus, an unvalidated
value stored in the database, or a value provided as a URL query parameter
payload, could result in an clickable JavaScript link.

``AdminURLFieldWidget`` now validates the provided value using
:class:`~django.core.validators.URLValidator` before displaying the clickable
link. You may customize the validator by passing a ``validator_class`` kwarg to
``AdminURLFieldWidget.__init__()``, e.g. when using
:attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.

Patched bundled jQuery for CVE-2019-11358: Prototype pollution
--------------------------------------------------------------

jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
``Object.prototype`` pollution. If an unsanitized source object contained an
enumerable ``__proto__`` property, it could extend the native
``Object.prototype``.

The bundled version of jQuery used by the Django admin has been patched to
allow for the ``select2`` library's use of ``jQuery.extend()``.


==========================

2.1.8

Not secure
==========================

*April 1, 2019*

Django 2.1.8 fixes a bug in 2.1.7.

Bugfixes
========

* Prevented admin inlines for a ``ManyToManyField``\'s implicit through model
from being editable if the user only has the view permission
(:ticket:`30289`).


==========================

2.1.7

Not secure
==========================

*February 11, 2019*

Django 2.1.7 fixes a packaging error in 2.1.6.

Bugfixes
========

* Corrected packaging error from 2.1.6 (:ticket:`30175`).


==========================

2.1.5

Not secure
==========================

*January 4, 2019*

Django 2.1.5 fixes a security issue and several bugs in 2.1.4.

CVE-2019-3498: Content spoofing possibility in the default 404 page
-------------------------------------------------------------------

An attacker could craft a malicious URL that could make spoofed content appear
on the default page generated by the ``django.views.defaults.page_not_found()``
view.

The URL path is no longer displayed in the default 404 template and the
``request_path`` context variable is now quoted to fix the issue for custom
templates that use the path.

Bugfixes
========

* Fixed compatibility with mysqlclient 1.3.14 (:ticket:`30013`).

* Fixed a schema corruption issue on SQLite 3.26+. You might have to drop and
rebuild your SQLite database if you applied a migration while using an older
version of Django with SQLite 3.26 or later (:ticket:`29182`).

* Prevented SQLite schema alterations while foreign key checks are enabled to
avoid the possibility of schema corruption (:ticket:`30023`).

* Fixed a regression in Django 2.1.4 (which enabled keep-alive connections)
where request body data isn't properly consumed for such connections
(:ticket:`30015`).

* Fixed a regression in Django 2.1.4 where
``InlineModelAdmin.has_change_permission()`` is incorrectly called with a
non-``None`` ``obj`` argument during an object add (:ticket:`30050`).


==========================

2.1.4

Not secure
==========================

*December 3, 2018*

Django 2.1.4 fixes several bugs in 2.1.3.

Bugfixes
========

* Corrected the default password list that ``CommonPasswordValidator`` uses by
lowercasing all passwords to match the format expected by the validator
(:ticket:`29952`).

* Prevented repetitive calls to ``geos_version_tuple()`` in the ``WKBWriter``
class in an attempt to fix a random crash involving ``LooseVersion``
(:ticket:`29959`).

* Fixed keep-alive support in ``runserver`` after it was disabled to fix
another issue in Django 2.0 (:ticket:`29849`).

* Fixed admin view-only change form crash when using
``ModelAdmin.prepopulated_fields`` (:ticket:`29929`).

* Fixed "Please correct the errors below" error message when editing an object
in the admin if the user only has the "view" permission on inlines
(:ticket:`29930`).


==========================

2.1.3

Not secure
==========================

*November 1, 2018*

Django 2.1.3 fixes several bugs in 2.1.2.

Bugfixes
========

* Fixed a regression in Django 2.0 where combining ``Q`` objects with ``__in``
lookups and lists crashed (:ticket:`29838`).

* Fixed a regression in Django 1.11 where ``django-admin shell`` may hang
on startup (:ticket:`29774`).

* Fixed a regression in Django 2.0 where test databases aren't reused with
``manage.py test --keepdb`` on MySQL (:ticket:`29827`).

* Fixed a regression where cached foreign keys that use ``to_field`` were
incorrectly cleared in ``Model.save()`` (:ticket:`29896`).

* Fixed a regression in Django 2.0 where ``FileSystemStorage`` crashes with
``FileExistsError`` if concurrent saves try to create the same directory
(:ticket:`29890`).


==========================

Page 23 of 52

Links

Releases

Has known vulnerabilities

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.