Django

===========================

*September 26, 2016*

Django 1.9.10 fixes a security issue in 1.9.9.

CSRF protection bypass on a site with Google Analytics
======================================================

An interaction between Google Analytics and Django's cookie parsing could allow
an attacker to set arbitrary cookies leading to a bypass of CSRF protection.

The parser for ``request.COOKIES`` is simplified to better match the behavior
of browsers and to mitigate this attack. ``request.COOKIES`` may now contain
cookies that are invalid according to :rfc:`6265` but are possible to set via
``document.cookie``.


==========================

==========================

*August 1, 2016*

Django 1.9.9 fixes several bugs in 1.9.8.

Bugfixes
========

* Fixed invalid HTML in template postmortem on the debug page
(:ticket:`26938`).

* Fixed some GIS database function crashes on MySQL 5.7 (:ticket:`26657`).


==========================

==========================

*July 18, 2016*

Django 1.9.8 fixes a security issue and several bugs in 1.9.7.

XSS in admin's add/change related popup
=======================================

Unsafe usage of JavaScript's ``Element.innerHTML`` could result in XSS in the
admin's add/change related popup. ``Element.textContent`` is now used to
prevent execution of the data.

The debug view also used ``innerHTML``. Although a security issue wasn't
identified there, out of an abundance of caution it's also updated to use
``textContent``.

Bugfixes
========

* Fixed missing ``varchar/text_pattern_ops`` index on ``CharField`` and
``TextField`` respectively when using ``AddField`` on PostgreSQL
(:ticket:`26889`).

* Fixed ``makemessages`` crash on Python 2 with non-ASCII file names
(:ticket:`26897`).


==========================

==========================

*June 4, 2016*

Django 1.9.7 fixes several bugs in 1.9.6.

Bugfixes
========

* Removed the need for the ``request`` context processor on the admin login
page to fix a regression in 1.9 (:ticket:`26558`).

* Fixed translation of password validators' ``help_text`` in forms
(:ticket:`26544`).

* Fixed a regression causing the cached template loader to crash when using
lazy template names (:ticket:`26603`).

* Fixed ``on_commit`` callbacks execution order when callbacks make
transactions (:ticket:`26627`).

* Fixed ``HStoreField`` to raise a ``ValidationError`` instead of crashing on
non-dictionary JSON input (:ticket:`26672`).

* Fixed ``dbshell`` crash on PostgreSQL with an empty database name
(:ticket:`26698`).

* Fixed a regression in queries on a ``OneToOneField`` that has ``to_field``
and ``primary_key=True`` (:ticket:`26667`).


==========================

==========================

*May 2, 2016*

Django 1.9.6 fixes several bugs in 1.9.5.

Bugfixes
========

* Added support for relative path redirects to the test client and to
``SimpleTestCase.assertRedirects()`` because Django 1.9 no longer converts
redirects to absolute URIs (:ticket:`26428`).

* Fixed ``TimeField`` microseconds round-tripping on MySQL and SQLite
(:ticket:`26498`).

* Prevented ``makemigrations`` from generating infinite migrations for a model
field that references a ``functools.partial`` (:ticket:`26475`).

* Fixed a regression where ``SessionBase.pop()`` returned ``None`` rather than
raising a ``KeyError`` for nonexistent values (:ticket:`26520`).

* Fixed a regression causing the cached template loader to crash when using
template names starting with a dash (:ticket:`26536`).

* Restored conversion of an empty string to null when saving values of
``GenericIPAddressField`` on SQLite and MySQL (:ticket:`26557`).

* Fixed a ``makemessages`` regression where temporary ``.py`` extensions were
leaked in source file paths (:ticket:`26341`).


==========================

==========================

*April 1, 2016*

Django 1.9.5 fixes several bugs in 1.9.4.

Bugfixes
========

* Made ``MultiPartParser`` ignore filenames that normalize to an empty string
to fix crash in ``MemoryFileUploadHandler`` on specially crafted user input
(:ticket:`26325`).

* Fixed a race condition in ``BaseCache.get_or_set()`` (:ticket:`26332`). It
now returns the ``default`` value instead of ``False`` if there's an error
when trying to add the value to the cache.

* Fixed data loss on SQLite where ``DurationField`` values with fractional
seconds could be saved as ``None`` (:ticket:`26324`).

* The forms in ``contrib.auth`` no longer strip trailing and leading whitespace
from the password fields (:ticket:`26334`). The change requires users who set
their password to something with such whitespace after a site updated to
Django 1.9 to reset their password. It provides backwards-compatibility for
earlier versions of Django.

* Fixed a memory leak in the cached template loader (:ticket:`26306`).

* Fixed a regression that caused ``collectstatic --clear`` to fail if the
storage doesn't implement ``path()`` (:ticket:`26297`).

* Fixed a crash when using a reverse lookup with a subquery when a
``ForeignKey`` has a ``to_field`` set to something other than the primary key
(:ticket:`26373`).

* Fixed a regression in ``CommonMiddleware`` that caused spurious warnings in
logs on requests missing a trailing slash (:ticket:`26293`).

* Restored the functionality of the admin's ``raw_id_fields`` in
``list_editable`` (:ticket:`26387`).

* Fixed a regression with abstract model inheritance and explicit parent links
(:ticket:`26413`).

* Fixed a migrations crash on SQLite when renaming the primary key of a model
containing a ``ForeignKey`` to ``'self'`` (:ticket:`26384`).

* Fixed ``JSONField`` inadvertently escaping its contents when displaying values
after failed form validation (:ticket:`25532`).


==========================