Django

===========================

*March 1, 2017*

Django 1.10.6 fixes several bugs in 1.10.5.

Bugfixes
========

* Fixed ``ClearableFileInput``’s "Clear" checkbox on model form fields where
the model field has a ``default`` (:ticket:`27805`).

* Fixed ``RequestDataTooBig`` and ``TooManyFieldsSent`` exceptions crashing
rather than generating a bad request response (:ticket:`27820`).

* Fixed a crash on Oracle and PostgreSQL when subtracting ``DurationField``
or ``IntegerField`` from ``DateField`` (:ticket:`27828`).

* Fixed query expression date subtraction accuracy on PostgreSQL for
differences larger than a month (:ticket:`27856`).

* Fixed a ``GDALException`` raised by ``GDALClose`` on GDAL ≥ 2.0
(:ticket:`27479`).


===========================

===========================

*January 4, 2017*

Django 1.10.5 fixes several bugs in 1.10.4.

Bugfixes
========

* Fixed a crash in the debug view if ``request.user`` can't be retrieved, such
as if the database is unavailable (:ticket:`27567`).

* Fixed occasional missing plural forms in ``JavaScriptCatalog``
(:ticket:`27418`).

* Fixed a regression in the ``timesince`` and ``timeuntil`` filters that caused
incorrect results for dates in a leap year (:ticket:`27637`).

* Fixed a regression where ``collectstatic`` overwrote newer files in remote
storages (:ticket:`27658`).


===========================

===========================

*December 1, 2016*

Django 1.10.4 fixes several bugs in 1.10.3.

Bugfixes
========

* Quoted the Oracle test user's password in queries to fix the "ORA-00922:
missing or invalid option" error when the password starts with a number or
special character (:ticket:`27420`).

* Fixed incorrect ``app_label`` / ``model_name`` arguments for
``allow_migrate()`` in ``makemigrations`` migration consistency checks
(:ticket:`27461`).

* Made ``Model.delete(keep_parents=True)`` preserve parent reverse
relationships in multi-table inheritance (:ticket:`27407`).

* Fixed a ``QuerySet.update()`` crash on SQLite when updating a
``DateTimeField`` with an ``F()`` expression and a ``timedelta``
(:ticket:`27544`).

* Prevented ``LocaleMiddleware`` from redirecting on URLs that should return
404 when using ``prefix_default_language=False`` (:ticket:`27402`).

* Prevented an unnecessary index from being created on an InnoDB ``ForeignKey``
when the field was added after the model was created (:ticket:`27558`).


===========================

===========================

*November 1, 2016*

Django 1.10.3 fixes two security issues and several bugs in 1.10.2.

User with hardcoded password created when running tests on Oracle
=================================================================

When running tests with an Oracle database, Django creates a temporary database
user. In older versions, if a password isn't manually specified in the database
settings ``TEST`` dictionary, a hardcoded password is used. This could allow
an attacker with network access to the database server to connect.

This user is usually dropped after the test suite completes, but not when using
the ``manage.py test --keepdb`` option or if the user has an active session
(such as an attacker's connection).

A randomly generated password is now used for each test run.

DNS rebinding vulnerability when ``DEBUG=True``
===============================================

Older versions of Django don't validate the ``Host`` header against
``settings.ALLOWED_HOSTS`` when ``settings.DEBUG=True``. This makes them
vulnerable to a `DNS rebinding attack
<https://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>`_.

While Django doesn't ship a module that allows remote code execution, this is
at least a cross-site scripting vector, which could be quite serious if
developers load a copy of the production database in development or connect to
some production services for which there's no development instance, for
example. If a project uses a package like the ``django-debug-toolbar``, then
the attacker could execute arbitrary SQL, which could be especially bad if the
developers connect to the database with a superuser account.

``settings.ALLOWED_HOSTS`` is now validated regardless of ``DEBUG``. For
convenience, if ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, the following
variations of localhost are allowed ``['localhost', '127.0.0.1', '::1']``. If
your local settings file has your production ``ALLOWED_HOSTS`` value, you must
now omit it to get those fallback values.

Bugfixes
========

* Allowed ``User.is_authenticated`` and ``User.is_anonymous`` properties to be
tested for ``set`` membership (:ticket:`27309`).

* Fixed a performance regression when running ``migrate`` in projects
with ``RenameModel`` operations (:ticket:`27279`).

* Added ``model_name`` to the ``allow_migrate()`` calls in ``makemigrations``
(:ticket:`27200`).

* Made the ``JavaScriptCatalog`` view respect the ``packages`` argument;
previously it was ignored (:ticket:`27374`).

* Fixed ``QuerySet.bulk_create()`` on PostgreSQL when the number of objects is
a multiple plus one of ``batch_size`` (:ticket:`27385`).

* Prevented ``i18n_patterns()`` from using too much of the URL as the language
to fix a use case for ``prefix_default_language=False`` (:ticket:`27063`).

* Replaced a possibly incorrect redirect from ``SessionMiddleware`` when a
session is destroyed in a concurrent request with a ``SuspiciousOperation``
to indicate that the request can't be completed (:ticket:`27363`).


===========================

===========================

*October 1, 2016*

Django 1.10.2 fixes several bugs in 1.10.1.

Bugfixes
========

* Fixed a crash in MySQL database validation where ``SELECT sql_mode``
doesn't return a result (:ticket:`27180`).

* Allowed combining ``contrib.postgres.search.SearchQuery`` with more than one
``&`` or ``|`` operators (:ticket:`27143`).

* Disabled system check for URL patterns beginning with a '/' when
``APPEND_SLASH=False`` (:ticket:`27238`).

* Fixed model form ``default`` fallback for ``CheckboxSelectMultiple``,
``MultiWidget``, ``FileInput``, ``SplitDateTimeWidget``, ``SelectDateWidget``,
and ``SplitArrayWidget`` (:ticket:`27186`). Custom widgets affected by this
issue should implement :meth:`~django.forms.Widget.value_omitted_from_data`.

* Fixed a crash in ``runserver`` logging during a "Broken pipe" error
(:ticket:`27271`).

* Fixed a regression where unchanged localized date/time fields were listed as
changed in the admin's model history messages (:ticket:`27302`).


===========================

===========================

*September 1, 2016*

Django 1.10.1 fixes several bugs in 1.10.

Bugfixes
========

* Fixed a crash in MySQL connections where ``SELECT SQL_AUTO_IS_NULL``
doesn't return a result (:ticket:`26991`).

* Allowed ``User.is_authenticated`` and ``User.is_anonymous`` properties to be
compared using ``==``, ``!=``, and ``|`` (:ticket:`26988`, :ticket:`27154`).

* Removed the broken ``BaseCommand.usage()`` method which was for
``optparse`` support (:ticket:`27000`).

* Fixed a checks framework crash with an empty ``Meta.default_permissions``
(:ticket:`26997`).

* Fixed a regression in the number of queries when using ``RadioSelect`` with a
``ModelChoiceField`` form field (:ticket:`27001`).

* Fixed a crash if ``request.META['CONTENT_LENGTH']`` is an empty string
(:ticket:`27005`).

* Fixed the ``isnull`` lookup on a ``ForeignKey`` with its ``to_field``
pointing to a ``CharField`` or pointing to a ``CharField`` defined with
``primary_key=True`` (:ticket:`26983`).

* Prevented the ``migrate`` command from raising
``InconsistentMigrationHistory`` in the presence of unapplied squashed
migrations (:ticket:`27004`).

* Fixed a regression in ``Client.force_login()`` which required specifying a
``backend`` rather than automatically using the first one if multiple
backends are configured (:ticket:`27027`).

* Made ``QuerySet.bulk_create()`` properly initialize model instances on
backends, such as PostgreSQL, that support returning the IDs of the created
records so that many-to-many relationships can be used on the new objects
(:ticket:`27026`).

* Fixed crash of ``django.views.static.serve()`` with ``show_indexes`` enabled
(:ticket:`26973`).

* Fixed ``ClearableFileInput`` to avoid the ``required`` HTML attribute when
initial data exists (:ticket:`27037`).

* Fixed annotations with database functions when combined with lookups on
PostGIS (:ticket:`27014`).

* Reallowed the ``{% for %}`` tag to unpack any iterable (:ticket:`27058`).

* Made ``makemigrations`` skip inconsistent history checks on non-default
databases if database routers aren't in use or if no apps can be migrated
to the database (:ticket:`27054`, :ticket:`27110`, :ticket:`27142`).

* Removed duplicated managers in ``Model._meta.managers`` (:ticket:`27073`).

* Fixed ``contrib.admindocs`` crash when a view is in a class, such as some of
the admin views (:ticket:`27018`).

* Reverted a few admin checks that checked ``field.many_to_many`` back to
``isinstance(field, models.ManyToManyField)`` since it turned out the checks
weren't suitable to be generalized like that (:ticket:`26998`).

* Added the database alias to the ``InconsistentMigrationHistory`` message
raised by ``makemigrations`` and ``migrate`` (:ticket:`27089`).

* Fixed the creation of ``ContentType`` and ``Permission`` objects for models
of applications without migrations when calling the ``migrate`` command with
no migrations to apply (:ticket:`27044`).

* Included the already applied migration state changes in the ``Apps`` instance
provided to the ``pre_migrate`` signal receivers to allow ``ContentType``
renaming to be performed on model rename (:ticket:`27100`).

* Reallowed subclassing ``UserCreationForm`` without ``USERNAME_FIELD`` in
``Meta.fields`` (:ticket:`27111`).

* Fixed a regression in model forms where model fields with a ``default`` that
didn't appear in POST data no longer used the ``default`` (:ticket:`27039`).


=========================