Django

===========================

*March 1, 2016*

Django 1.8.10 fixes two security issues and several bugs in 1.8.9.

CVE-2016-2512: Malicious redirect and possible XSS attack via user-supplied redirect URLs containing basic auth
===============================================================================================================

Django relies on user input in some cases (e.g.
``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security check for these
redirects (namely ``django.utils.http.is_safe_url()``) considered some URLs
with basic authentication credentials "safe" when they shouldn't be.

For example, a URL like ``http://mysite.example.com\attacker.com`` would be
considered safe if the request's host is ``http://mysite.example.com``, but
redirecting to this URL sends the user to ``attacker.com``.

Also, if a developer relies on ``is_safe_url()`` to provide safe redirect
targets and puts such a URL into a link, they could suffer from an XSS attack.

CVE-2016-2513: User enumeration through timing difference on password hasher work factor upgrade
================================================================================================

In each major version of Django since 1.6, the default number of iterations for
the ``PBKDF2PasswordHasher`` and its subclasses has increased. This improves
the security of the password as the speed of hardware increases, however, it
also creates a timing difference between a login request for a user with a
password encoded in an older number of iterations and login request for a
nonexistent user (which runs the default hasher's default number of iterations
since Django 1.6).

This only affects users who haven't logged in since the iterations were
increased. The first time a user logs in after an iterations increase, their
password is updated with the new iterations and there is no longer a timing
difference.

The new ``BasePasswordHasher.harden_runtime()`` method allows hashers to bridge
the runtime gap between the work factor (e.g. iterations) supplied in existing
encoded passwords and the default work factor of the hasher. This method
is implemented for ``PBKDF2PasswordHasher`` and ``BCryptPasswordHasher``.
The number of rounds for the latter hasher hasn't changed since Django 1.4, but
some projects may subclass it and increase the work factor as needed.

A warning will be emitted for any :ref:`third-party password hashers that don't
implement <write-your-own-password-hasher>` a ``harden_runtime()`` method.

If you have different password hashes in your database (such as SHA1 hashes
from users who haven't logged in since the default hasher switched to PBKDF2
in Django 1.4), the timing difference on a login request for these users may be
even greater and this fix doesn't remedy that difference (or any difference
when changing hashers). You may be able to :ref:`upgrade those hashes
<wrapping-password-hashers>` to prevent a timing attack for that case.

Bugfixes
========

* Fixed a crash on PostgreSQL that prevented using ``TIME_ZONE=None`` and
``USE_TZ=False`` (:ticket:`26177`).

* Added system checks for query name clashes of hidden relationships
(:ticket:`26162`).

* Made ``forms.FileField`` and ``utils.translation.lazy_number()`` picklable
(:ticket:`26212`).

* Fixed :class:`~django.contrib.postgres.fields.RangeField` and
:class:`~django.contrib.postgres.fields.ArrayField` serialization with
``None`` values (:ticket:`26215`).

* Reallowed dashes in top-level domain names of URLs checked by
``URLValidator`` to fix a regression in Django 1.8 (:ticket:`26204`).

* Fixed ``BoundField`` to reallow slices of subwidgets (:ticket:`26267`).

* Prevented ``ContentTypeManager`` instances from sharing their cache
(:ticket:`26286`).


==========================

==========================

*February 1, 2016*

Django 1.8.9 fixes several bugs in 1.8.8.

Bugfixes
========

* Fixed a regression that caused the "user-tools" items to display on the
admin's logout page (:ticket:`26035`).

* Fixed a crash in the translations system when the current language has no
translations (:ticket:`26046`).

* Fixed a regression that caused the incorrect day to be selected when opening
the admin calendar widget for timezones from GMT+0100 to GMT+1200
(:ticket:`24980`).

* Fixed a regression in 1.8.8 causing incorrect index handling in migrations on
PostgreSQL when adding ``db_index=True`` or ``unique=True`` to a
``CharField`` or ``TextField`` that already had the other specified, or when
removing one of them from a field that had both, or when adding
``unique=True`` to a field already listed in ``unique_together``
(:ticket:`26034`).

* Fixed a crash when using an ``__in`` lookup inside a ``Case`` expression
(:ticket:`26071`).

* Fixed a crash when using a reverse ``OneToOneField`` in
``ModelAdmin.readonly_fields`` (:ticket:`26060`).

* Fixed a regression in Django 1.8.5 that broke copying a ``SimpleLazyObject``
with ``copy.copy()`` (:ticket:`26122`).

* Fixed the ``contrib.gis`` map widgets when using
``USE_THOUSAND_SEPARATOR=True`` (:ticket:`20415`).


==========================

==========================

*January 2, 2016*

Django 1.8.8 fixes several bugs in 1.8.7.

Python 3.2 users, please be advised that we've decided to drop support for
Python 3.2 in Django 1.8.x at the end of 2016. We won't break things
intentionally after that, but we won't test subsequent releases against Python
3.2 either. Upstream support for Python 3.2 ends February 2016 so we don't find
much value in providing security updates for a version of Python that could be
insecure. To read more about the decision and to let us know if this will be
problematic for you, please read the `django-developers thread
<https://groups.google.com/g/django-developers/c/eMu5UQpUdWs/discussion>`_.

Bugfixes
========

* Fixed incorrect ``unique_together`` field name generation by ``inspectdb``
(:ticket:`25274`).

* Corrected ``__len`` query lookup on ``ArrayField`` for empty arrays
(:ticket:`25772`).

* Restored the ability to use custom formats from ``formats.py`` with
``django.utils.formats.get_format()`` and the ``date`` template filter
(:ticket:`25812`).

* Fixed a state bug when migrating a ``SeparateDatabaseAndState`` operation
backwards (:ticket:`25896`).

* Fixed missing ``varchar/text_pattern_ops`` index on ``CharField`` and
``TextField`` respectively when using ``AlterField`` on PostgreSQL
(:ticket:`25412`).

* Fixed a state bug when using an ``AlterModelManagers`` operation
(:ticket:`25852`).

* Fixed a regression which prevented using a language not in Django's default
language list (:setting:`LANGUAGES`) (:ticket:`25915`).

* ``django.views.decorators.cache.never_cache()`` now sends more persuasive
headers (added ``no-cache, no-store, must-revalidate`` to ``Cache-Control``)
to better prevent caching (:ticket:`13008`). This fixes a problem where a
page refresh in Firefox cleared the selected entries in the admin's
``filter_horizontal`` and ``filter_vertical`` widgets, which could result
in inadvertent data loss if a user didn't notice that and then submitted the
form (:ticket:`22955`).

* Fixed a regression in the admin which ignored line breaks in read-only fields
instead of converting them to ``<br>`` (:ticket:`25465`).

* Made ``loaddata`` skip disabling and enabling database constraints when it
doesn't load any fixtures (:ticket:`23372`).

* Fixed a crash in ``QuerySet.values()/values_list()`` after an ``annotate()``
and ``order_by()`` when ``values()/values_list()`` includes a field not in
the ``order_by()`` (:ticket:`25316`).


==========================

==========================

*November 24, 2015*

Django 1.8.7 fixes a security issue and several bugs in 1.8.6.

Additionally, Django's vendored version of six, ``django.utils.six``, has
been upgraded to the latest release (1.10.0).

Fixed settings leak possibility in ``date`` template filter
===========================================================

If an application allows users to specify an unvalidated format for dates and
passes this format to the :tfilter:`date` filter, e.g.
``{{ last_updated|date:user_date_format }}``, then a malicious user could
obtain any secret in the application's settings by specifying a settings key
instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``.

To remedy this, the underlying function used by the ``date`` template filter,
``django.utils.formats.get_format()``, now only allows accessing the date/time
formatting settings.

Bugfixes
========

* Fixed a crash of the debug view during the autumn DST change when
:setting:`USE_TZ` is ``False`` and ``pytz`` is installed.

* Fixed a regression in 1.8.6 that caused database routers without an
``allow_migrate()`` method to crash (:ticket:`25686`).

* Fixed a regression in 1.8.6 by restoring the ability to use ``Manager``
objects for the ``queryset`` argument of ``ModelChoiceField``
(:ticket:`25683`).

* Fixed a regression in 1.8.6 that caused an application with South migrations
in the ``migrations`` directory to fail (:ticket:`25618`).

* Fixed a data loss possibility with :class:`~django.db.models.Prefetch` if
``to_attr`` is set to a ``ManyToManyField`` (:ticket:`25693`).

* Fixed a regression in 1.8 by making ``gettext()`` once again return UTF-8
bytestrings on Python 2 if the input is a bytestring (:ticket:`25720`).

* Fixed serialization of
:class:`~django.contrib.postgres.fields.DateRangeField` and
:class:`~django.contrib.postgres.fields.DateTimeRangeField` (:ticket:`24937`).

* Fixed the exact lookup of ``ArrayField`` (:ticket:`25666`).

* Fixed ``Model.refresh_from_db()`` updating of ``ForeignKey`` fields with
``on_delete=models.SET_NULL`` (:ticket:`25715`).

* Fixed a duplicate query regression in 1.8 on proxied model deletion
(:ticket:`25685`).

* Fixed ``set_FOO_order()`` crash when the ``ForeignKey`` of a model with
``order_with_respect_to`` references a model with a ``OneToOneField``
primary key (:ticket:`25786`).

* Fixed incorrect validation for ``PositiveIntegerField`` and
``PositiveSmallIntegerField`` on MySQL resulting in values greater than
4294967295 or 65535, respectively, passing validation and being silently
truncated by the database (:ticket:`25767`).


==========================

==========================

*November 4, 2015*

Django 1.8.6 adds official support for Python 3.5 and fixes several bugs in
1.8.5.

Bugfixes
========

* Fixed a regression causing ``ModelChoiceField`` to ignore
``prefetch_related()`` on its queryset (:ticket:`25496`).

* Allowed "mode=memory" in SQLite test database name if supported
(:ticket:`12118`).

* Fixed system check crash on ``ForeignKey`` to abstract model
(:ticket:`25503`).

* Fixed incorrect queries when you have multiple ``ManyToManyField``\s on
different models that have the same field name, point to the same model, and
have their reverse relations disabled (:ticket:`25545`).

* Allowed filtering over a ``RawSQL`` annotation (:ticket:`25506`).

* Made the ``Concat`` database function idempotent on SQLite (:ticket:`25517`).

* Avoided a confusing stack trace when starting :djadmin:`runserver` with an
invalid :setting:`INSTALLED_APPS` setting (:ticket:`25510`). This regression
appeared in 1.8.5 as a side effect of fixing :ticket:`24704`.

* Made deferred models use their proxied model's ``_meta.apps`` for caching
and retrieval (:ticket:`25563`). This prevents any models generated in data
migrations using ``QuerySet.defer()`` from leaking to test and application
code.

* Fixed a typo in the name of the ``strictly_above`` PostGIS lookup
(:ticket:`25592`).

* Fixed crash with ``contrib.postgres.forms.SplitArrayField`` and
``IntegerField`` on invalid value (:ticket:`25597`).

* Added a helpful error message when Django and South migrations exist in the
same directory (:ticket:`25618`).

* Fixed a regression in ``URLValidator`` that allowed URLs with consecutive
dots in the domain section (like ``http://example..com/``) to pass
(:ticket:`25620`).

* Fixed a crash with ``GenericRelation`` and
``BaseModelAdmin.to_field_allowed`` (:ticket:`25622`).


==========================

==========================

*October 3, 2015*

Django 1.8.5 fixes several bugs in 1.8.4.

Bugfixes
========

* Made the development server's autoreload more robust (:ticket:`24704`).

* Fixed ``AssertionError`` in some delete queries with a model containing a
field that is both a foreign and primary key (:ticket:`24951`).

* Fixed ``AssertionError`` in some complex queries (:ticket:`24525`).

* Fixed a migrations crash with ``GenericForeignKey`` (:ticket:`25040`).

* Made ``translation.override()`` clear the overridden language when a
translation isn't initially active (:ticket:`25295`).

* Fixed crash when using a value in ``ModelAdmin.list_display`` that clashed
with a reverse field on the model (:ticket:`25299`).

* Fixed autocompletion for options of non-``argparse`` management commands
(:ticket:`25372`).

* Alphabetized ordering of imports in ``from django.db import migrations,
models`` statement in newly created migrations (:ticket:`25384`).

* Fixed migrations crash on MySQL when adding a text or a blob field with an
unhashable default (:ticket:`25393`).

* Changed ``Count`` queries to execute ``COUNT(*)`` instead of ``COUNT('*')``
as versions of Django before 1.8 did (:ticket:`25377`). This may fix a
performance regression on some databases.

* Fixed custom queryset chaining with ``values()`` and ``values_list()``
(:ticket:`20625`).

* Moved the :ref:`unsaved model instance assignment data loss check
<unsaved-model-instance-check-18>` on reverse relations to ``Model.save()``
(:ticket:`25160`).

* Readded inline foreign keys to form instances when validating model formsets
(:ticket:`25431`).

* Allowed using ORM write methods after disabling autocommit with
:func:`set_autocommit(False) <django.db.transaction.set_autocommit>`
(:ticket:`24921`).

* Fixed the ``manage.py test --keepdb`` option on Oracle (:ticket:`25421`).

* Fixed incorrect queries with multiple many-to-many fields on a model with the
same 'to' model and with ``related_name`` set to '+' (:ticket:`24505`,
:ticket:`25486`).

* Fixed pickling a ``SimpleLazyObject`` wrapping a model (:ticket:`25389`).


==========================