Django

==========================

*June 1, 2018*

Django 2.0.6 fixes several bugs in 2.0.5.

Bugfixes
========

* Fixed a regression that broke custom template filters that use decorators
(:ticket:`29400`).

* Fixed detection of custom URL converters in included patterns
(:ticket:`29415`).

* Fixed a regression that added an unnecessary subquery to the ``GROUP BY``
clause on MySQL when using a ``RawSQL`` annotation (:ticket:`29416`).

* Fixed ``WKBWriter.write()`` and ``write_hex()`` for empty polygons on
GEOS 3.6.1+ (:ticket:`29460`).

* Fixed a regression in Django 1.10 that could result in large memory usage
when making edits using ``ModelAdmin.list_editable`` (:ticket:`28462`).


==========================

==========================

*May 1, 2018*

Django 2.0.5 fixes several bugs in 2.0.4.

Bugfixes
========

* Corrected the import paths that ``inspectdb`` generates for
``django.contrib.postgres`` fields (:ticket:`29307`).

* Fixed a regression in Django 1.11.8 where altering a field with a unique
constraint may drop and rebuild more foreign keys than necessary
(:ticket:`29193`).

* Fixed crashes in ``django.contrib.admindocs`` when a view is a callable
object, such as ``django.contrib.syndication.views.Feed`` (:ticket:`29296`).

* Fixed a regression in Django 2.0.4 where ``QuerySet.values()`` or
``values_list()`` after combining an annotated and unannotated queryset with
``union()``, ``difference()``, or ``intersection()`` crashed due to mismatching
columns (:ticket:`29286`).


==========================

==========================

*April 2, 2018*

Django 2.0.4 fixes several bugs in 2.0.3.

Bugfixes
========

* Fixed a crash when filtering with an ``Exists()`` annotation of a queryset
containing a single field (:ticket:`29195`).

* Fixed admin autocomplete widget's translations for ``zh-hans`` and
``zh-hant`` languages (:ticket:`29213`).

* Corrected admin's autocomplete widget to add a space after custom classes
(:ticket:`29221`).

* Fixed ``PasswordResetConfirmView`` crash when using a user model with a
``UUIDField`` primary key and the reset URL contains an encoded primary key
value that decodes to an invalid UUID (:ticket:`29206`).

* Fixed a regression in Django 1.11.8 where combining two annotated
``values_list()`` querysets with ``union()``, ``difference()``, or
``intersection()`` crashed due to mismatching columns (:ticket:`29229`).

* Fixed a regression in Django 1.11 where an empty choice could be initially
selected for the ``SelectMultiple`` and ``CheckboxSelectMultiple`` widgets
(:ticket:`29273`).

* Fixed a regression in Django 2.0 where ``OpenLayersWidget`` deserialization
ignored the widget map's SRID and assumed 4326 (WGS84) (:ticket:`29116`).


==========================

==========================

*March 6, 2018*

Django 2.0.3 fixes two security issues and several bugs in 2.0.2. Also, the
latest string translations from Transifex are incorporated.

CVE-2018-7536: Denial-of-service possibility in ``urlize`` and ``urlizetrunc`` template filters
===============================================================================================

The ``django.utils.html.urlize()`` function was extremely slow to evaluate
certain inputs due to catastrophic backtracking vulnerabilities in two regular
expressions. The ``urlize()`` function is used to implement the ``urlize`` and
``urlizetrunc`` template filters, which were thus vulnerable.

The problematic regular expressions are replaced with parsing logic that
behaves similarly.

CVE-2018-7537: Denial-of-service possibility in ``truncatechars_html`` and ``truncatewords_html`` template filters
==================================================================================================================

If ``django.utils.text.Truncator``'s ``chars()`` and ``words()`` methods were
passed the ``html=True`` argument, they were extremely slow to evaluate certain
inputs due to a catastrophic backtracking vulnerability in a regular
expression. The ``chars()`` and ``words()`` methods are used to implement the
``truncatechars_html`` and ``truncatewords_html`` template filters, which were
thus vulnerable.

The backtracking problem in the regular expression is fixed.

Bugfixes
========

* Fixed a regression that caused sliced ``QuerySet.distinct().order_by()``
followed by ``count()`` to crash (:ticket:`29108`).

* Prioritized the datetime and time input formats without ``%f`` for the Thai
locale to fix the admin time picker widget displaying "undefined"
(:ticket:`29109`).

* Fixed crash with ``QuerySet.order_by(Exists(...))`` (:ticket:`29118`).

* Made ``Q.deconstruct()`` deterministic with multiple keyword arguments
(:ticket:`29125`). You may need to modify ``Q``'s in existing migrations, or
accept an autogenerated migration.

* Fixed a regression where a ``When()`` expression with a list argument crashes
(:ticket:`29166`).

* Fixed crash when using a ``Window()`` expression in a subquery
(:ticket:`29172`).

* Fixed ``AbstractBaseUser.normalize_username()`` crash if the ``username``
argument isn't a string (:ticket:`29176`).


==========================

==========================

*February 1, 2018*

Django 2.0.2 fixes a security issue and several bugs in 2.0.1.

CVE-2018-6188: Information leakage in ``AuthenticationForm``
============================================================

A regression in Django 1.11.8 made
:class:`~django.contrib.auth.forms.AuthenticationForm` run its
``confirm_login_allowed()`` method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
``confirm_login_allowed()`` raises. If ``confirm_login_allowed()`` isn't
overridden, an attacker enter an arbitrary username and see if that user has
been set to ``is_active=False``. If ``confirm_login_allowed()`` is overridden,
more sensitive details could be leaked.

This issue is fixed with the caveat that ``AuthenticationForm`` can no longer
raise the "This account is inactive." error if the authentication backend
rejects inactive users (the default authentication backend, ``ModelBackend``,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.

Bugfixes
========

* Fixed hidden content at the bottom of the "The install worked successfully!"
page for some languages (:ticket:`28885`).

* Fixed incorrect foreign key nullification if a model has two foreign keys to
the same model and a target model is deleted (:ticket:`29016`).

* Fixed regression in the use of ``QuerySet.values_list(..., flat=True)``
followed by ``annotate()`` (:ticket:`29067`).

* Fixed a regression where a queryset that annotates with geometry objects
crashes (:ticket:`29054`).

* Fixed a regression where ``contrib.auth.authenticate()`` crashes if an
authentication backend doesn't accept ``request`` and a later one does
(:ticket:`29071`).

* Fixed a regression where ``makemigrations`` crashes if a migrations directory
doesn't have an ``__init__.py`` file (:ticket:`29091`).

* Fixed crash when entering an invalid uuid in ``ModelAdmin.raw_id_fields``
(:ticket:`29094`).


==========================

==========================

*January 1, 2018*

Django 2.0.1 fixes several bugs in 2.0.

Bugfixes
========

* Fixed a regression in Django 1.11 that added newlines between ``MultiWidget``'s
subwidgets (:ticket:`28890`).

* Fixed incorrect class-based model index name generation for models with
quoted ``db_table`` (:ticket:`28876`).

* Fixed incorrect foreign key constraint name for models with quoted
``db_table`` (:ticket:`28876`).

* Fixed a regression in caching of a ``GenericForeignKey`` when the referenced
model instance uses more than one level of multi-table inheritance
(:ticket:`28856`).

* Reallowed filtering a queryset with ``GeometryField=None`` (:ticket:`28896`).

* Corrected admin check to allow a ``OneToOneField`` in
``ModelAdmin.autocomplete_fields`` (:ticket:`28898`).

* Fixed a regression on SQLite where ``DecimalField`` returned a result with
trailing zeros in the fractional part truncated (:ticket:`28915`).

* Fixed crash in the ``testserver`` command startup (:ticket:`28941`).

* Fixed crash when coercing a translatable URL pattern to ``str``
(:ticket:`28947`).

* Fixed crash on SQLite when renaming a field in a model referenced by a
``ManyToManyField`` (:ticket:`28884`).

* Fixed a crash when chaining ``values()`` or ``values_list()`` after
``QuerySet.select_for_update(of=(...))`` (:ticket:`28944`).

* Fixed admin changelist crash when using a query expression in the page's
ordering (:ticket:`28958`).


========================