Django

==========================

*November 4, 2015*

Django 1.8.6 adds official support for Python 3.5 and fixes several bugs in
1.8.5.

Bugfixes
========

* Fixed a regression causing ``ModelChoiceField`` to ignore
``prefetch_related()`` on its queryset (:ticket:`25496`).

* Allowed "mode=memory" in SQLite test database name if supported
(:ticket:`12118`).

* Fixed system check crash on ``ForeignKey`` to abstract model
(:ticket:`25503`).

* Fixed incorrect queries when you have multiple ``ManyToManyField``\s on
different models that have the same field name, point to the same model, and
have their reverse relations disabled (:ticket:`25545`).

* Allowed filtering over a ``RawSQL`` annotation (:ticket:`25506`).

* Made the ``Concat`` database function idempotent on SQLite (:ticket:`25517`).

* Avoided a confusing stack trace when starting :djadmin:`runserver` with an
invalid :setting:`INSTALLED_APPS` setting (:ticket:`25510`). This regression
appeared in 1.8.5 as a side effect of fixing :ticket:`24704`.

* Made deferred models use their proxied model's ``_meta.apps`` for caching
and retrieval (:ticket:`25563`). This prevents any models generated in data
migrations using ``QuerySet.defer()`` from leaking to test and application
code.

* Fixed a typo in the name of the ``strictly_above`` PostGIS lookup
(:ticket:`25592`).

* Fixed crash with ``contrib.postgres.forms.SplitArrayField`` and
``IntegerField`` on invalid value (:ticket:`25597`).

* Added a helpful error message when Django and South migrations exist in the
same directory (:ticket:`25618`).

* Fixed a regression in ``URLValidator`` that allowed URLs with consecutive
dots in the domain section (like ``http://example..com/``) to pass
(:ticket:`25620`).

* Fixed a crash with ``GenericRelation`` and
``BaseModelAdmin.to_field_allowed`` (:ticket:`25622`).


==========================

==========================

*October 3, 2015*

Django 1.8.5 fixes several bugs in 1.8.4.

Bugfixes
========

* Made the development server's autoreload more robust (:ticket:`24704`).

* Fixed ``AssertionError`` in some delete queries with a model containing a
field that is both a foreign and primary key (:ticket:`24951`).

* Fixed ``AssertionError`` in some complex queries (:ticket:`24525`).

* Fixed a migrations crash with ``GenericForeignKey`` (:ticket:`25040`).

* Made ``translation.override()`` clear the overridden language when a
translation isn't initially active (:ticket:`25295`).

* Fixed crash when using a value in ``ModelAdmin.list_display`` that clashed
with a reverse field on the model (:ticket:`25299`).

* Fixed autocompletion for options of non-``argparse`` management commands
(:ticket:`25372`).

* Alphabetized ordering of imports in ``from django.db import migrations,
models`` statement in newly created migrations (:ticket:`25384`).

* Fixed migrations crash on MySQL when adding a text or a blob field with an
unhashable default (:ticket:`25393`).

* Changed ``Count`` queries to execute ``COUNT(*)`` instead of ``COUNT('*')``
as versions of Django before 1.8 did (:ticket:`25377`). This may fix a
performance regression on some databases.

* Fixed custom queryset chaining with ``values()`` and ``values_list()``
(:ticket:`20625`).

* Moved the :ref:`unsaved model instance assignment data loss check
<unsaved-model-instance-check-18>` on reverse relations to ``Model.save()``
(:ticket:`25160`).

* Readded inline foreign keys to form instances when validating model formsets
(:ticket:`25431`).

* Allowed using ORM write methods after disabling autocommit with
:func:`set_autocommit(False) <django.db.transaction.set_autocommit>`
(:ticket:`24921`).

* Fixed the ``manage.py test --keepdb`` option on Oracle (:ticket:`25421`).

* Fixed incorrect queries with multiple many-to-many fields on a model with the
same 'to' model and with ``related_name`` set to '+' (:ticket:`24505`,
:ticket:`25486`).

* Fixed pickling a ``SimpleLazyObject`` wrapping a model (:ticket:`25389`).


==========================

==========================

*August 18, 2015*

Django 1.8.4 fixes a security issue and several bugs in 1.8.3.

Denial-of-service possibility in ``logout()`` view by filling session store
===========================================================================

Previously, a session could be created when anonymously accessing the
``django.contrib.auth.views.logout()`` view (provided it wasn't decorated
with :func:`~django.contrib.auth.decorators.login_required` as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.

The :class:`~django.contrib.sessions.middleware.SessionMiddleware` has been
modified to no longer create empty session records, including when
:setting:`SESSION_SAVE_EVERY_REQUEST` is active.

Bugfixes
========

* Added the ability to serialize values from the newly added
:class:`~django.db.models.UUIDField` (:ticket:`25019`).

* Added a system check warning if the old ``TEMPLATE_*`` settings are defined
in addition to the new ``TEMPLATES`` setting.

* Fixed ``QuerySet.raw()`` so ``InvalidQuery`` is not raised when using the
``db_column`` name of a ``ForeignKey`` field with ``primary_key=True``
(:ticket:`12768`).

* Prevented an exception in ``TestCase.setUpTestData()`` from leaking the
transaction (:ticket:`25176`).

* Fixed ``has_changed()`` method in ``contrib.postgres.forms.HStoreField``
(:ticket:`25215`, :ticket:`25233`).

* Fixed the recording of squashed migrations when running the ``migrate``
command (:ticket:`25231`).

* Moved the :ref:`unsaved model instance assignment data loss check
<unsaved-model-instance-check-18>` to ``Model.save()`` to allow easier usage
of in-memory models (:ticket:`25160`).

* Prevented ``varchar_patterns_ops`` and ``text_patterns_ops`` indexes for
``ArrayField`` (:ticket:`25180`).


==========================

==========================

*July 8, 2015*

Django 1.8.3 fixes several security issues and bugs in 1.8.2.

Also, ``django.utils.deprecation.RemovedInDjango20Warning`` was renamed to
``RemovedInDjango110Warning`` as the version roadmap was revised to 1.9, 1.10,
1.11 (LTS), 2.0 (drops Python 2 support). For backwards compatibility,
``RemovedInDjango20Warning`` remains as an importable alias.

Denial-of-service possibility by filling session store
======================================================

In previous versions of Django, the session backends created a new empty record
in the session storage anytime ``request.session`` was accessed and there was a
session key provided in the request cookies that didn't already have a session
record. This could allow an attacker to easily create many new session records
simply by sending repeated requests with unknown session keys, potentially
filling up the session store or causing other users' session records to be
evicted.

The built-in session backends now create a session record only if the session
is actually modified; empty session records are not created. Thus this
potential DoS is now only possible if the site chooses to expose a
session-modifying view to anonymous users.

As each built-in session backend was fixed separately (rather than a fix in the
core sessions framework), maintainers of third-party session backends should
check whether the same vulnerability is present in their backend and correct
it if so.

Header injection possibility since validators accept newlines in input
======================================================================

Some of Django's built-in validators
(:class:`~django.core.validators.EmailValidator`, most seriously) didn't
prohibit newline characters (due to the usage of ``$`` instead of ``\Z`` in the
regular expressions). If you use values with newlines in HTTP response or email
headers, you can suffer from header injection attacks. Django itself isn't
vulnerable because :class:`~django.http.HttpResponse` and the mail sending
utilities in :mod:`django.core.mail` prohibit newlines in HTTP and SMTP
headers, respectively. While the validators have been fixed in Django, if
you're creating HTTP responses or email messages in other ways, it's a good
idea to ensure that those methods prohibit newlines as well. You might also
want to validate that any existing data in your application doesn't contain
unexpected newlines.

:func:`~django.core.validators.validate_ipv4_address`,
:func:`~django.core.validators.validate_slug`, and
:class:`~django.core.validators.URLValidator` are also affected, however, as
of Django 1.6 the ``GenericIPAddresseField``, ``IPAddressField``, ``SlugField``,
and ``URLField`` form fields which use these validators all strip the input, so
the possibility of newlines entering your data only exists if you are using
these validators outside of the form fields.

The undocumented, internally unused ``validate_integer()`` function is now
stricter as it validates using a regular expression instead of simply casting
the value using ``int()`` and checking if an exception was raised.

Denial-of-service possibility in URL validation
===============================================

:class:`~django.core.validators.URLValidator` included a regular expression
that was extremely slow to evaluate against certain invalid inputs. This regular
expression has been simplified and optimized.

Bugfixes
========

* Fixed ``BaseRangeField.prepare_value()`` to use each ``base_field``’s
``prepare_value()`` method (:ticket:`24841`).

* Fixed crash during :djadmin:`makemigrations` if a migrations module either
is missing ``__init__.py`` or is a file (:ticket:`24848`).

* Fixed ``QuerySet.exists()`` returning incorrect results after annotation with
``Count()`` (:ticket:`24835`).

* Corrected ``HStoreField.has_changed()`` (:ticket:`24844`).

* Reverted an optimization to the CSRF template context processor which caused
a regression (:ticket:`24836`).

* Fixed a regression which caused template context processors to overwrite
variables set on a ``RequestContext`` after it's created (:ticket:`24847`).

* Prevented the loss of ``null``/``not null`` column properties during field
renaming of MySQL databases (:ticket:`24817`).

* Fixed a crash when using a reverse one-to-one relation in
``ModelAdmin.list_display`` (:ticket:`24851`).

* Fixed quoting of SQL when renaming a field to ``AutoField`` in PostgreSQL
(:ticket:`24892`).

* Fixed lack of unique constraint when changing a field from
``primary_key=True`` to ``unique=True`` (:ticket:`24893`).

* Fixed queryset pickling when using ``prefetch_related()`` after deleting
objects (:ticket:`24831`).

* Allowed using ``choices`` longer than 1 day with ``DurationField``
(:ticket:`24897`).

* Fixed a crash when loading squashed migrations from two apps with a
dependency between them, where the dependent app's replaced migrations are
partially applied (:ticket:`24895`).

* Fixed recording of applied status for squashed (replacement) migrations
(:ticket:`24628`).

* Fixed queryset annotations when using ``Case`` expressions with ``exclude()``
(:ticket:`24833`).

* Corrected join promotion for multiple ``Case`` expressions. Annotating a
query with multiple ``Case`` expressions could unexpectedly filter out
results (:ticket:`24924`).

* Fixed usage of transforms in subqueries (:ticket:`24744`).

* Fixed ``SimpleTestCase.assertRaisesMessage()`` on Python 2.7.10
(:ticket:`24903`).

* Provided better backwards compatibility for the ``verbosity`` argument in
``optparse`` management commands by casting it to an integer
(:ticket:`24769`).

* Fixed ``prefetch_related()`` on databases other than PostgreSQL for models
using UUID primary keys (:ticket:`24912`).

* Fixed removing ``unique_together`` constraints on MySQL (:ticket:`24972`).

* Fixed crash when uploading images with MIME types that Pillow doesn't detect,
such as bitmap, in ``forms.ImageField`` (:ticket:`24948`).

* Fixed a regression when deleting a model through the admin that has a
``GenericRelation`` with a ``related_query_name`` (:ticket:`24940`).

* Reallowed non-ASCII values for ``ForeignKey.related_name`` on Python 3 by
fixing the false positive system check (:ticket:`25016`).

* Fixed inline forms that use a parent object that has a ``UUIDField`` primary
key and a child object that has an ``AutoField`` primary key
(:ticket:`24958`).

* Fixed a regression in the ``unordered_list`` template filter on certain
inputs (:ticket:`25031`).

* Fixed a regression in ``URLValidator`` that invalidated Punycode TLDs
(:ticket:`25059`).

* Improved ``pyinotify`` ``runserver`` polling (:ticket:`23882`).


==========================

==========================

*May 20, 2015*

Django 1.8.2 fixes a security issue and several bugs in 1.8.1.

Fixed session flushing in the ``cached_db`` backend
===================================================

A change to ``session.flush()`` in the ``cached_db`` session backend in Django
1.8 mistakenly sets the session key to an empty string rather than ``None``. An
empty string is treated as a valid session key and the session cookie is set
accordingly. Any users with an empty string in their session cookie will use
the same session store. ``session.flush()`` is called by
``django.contrib.auth.logout()`` and, more seriously, by
``django.contrib.auth.login()`` when a user switches accounts. If a user is
logged in and logs in again to a different account (without logging out) the
session is flushed to avoid reuse. After the session is flushed (and its
session key becomes ``''``) the account details are set on the session and the
session is saved. Any users with an empty string in their session cookie will
now be logged into that account.

Bugfixes
========

* Fixed check for template engine alias uniqueness (:ticket:`24685`).

* Fixed crash when reusing the same ``Case`` instance in a query
(:ticket:`24752`).

* Corrected join promotion for ``Case`` expressions. For example, annotating a
query with a ``Case`` expression could unexpectedly filter out results
(:ticket:`24766`).

* Fixed negated ``Q`` objects in expressions. Cases like
``Case(When(~Q(friends__age__lte=30)))`` tried to generate a subquery which
resulted in a crash (:ticket:`24705`).

* Fixed incorrect GROUP BY clause generation on MySQL when the query's model
has a self-referential foreign key (:ticket:`24748`).

* Implemented ``ForeignKey.get_db_prep_value()`` so that ``ForeignKey``\s
pointing to :class:`~django.db.models.UUIDField` and inheritance on models
with ``UUIDField`` primary keys work correctly (:ticket:`24698`,
:ticket:`24712`).

* Fixed ``isnull`` lookup for ``HStoreField`` (:ticket:`24751`).

* Fixed a MySQL crash when a migration removes a combined index (
``unique_together`` or ``index_together``) containing a foreign key
(:ticket:`24757`).

* Fixed session cookie deletion when using :setting:`SESSION_COOKIE_DOMAIN`
(:ticket:`24799`).

* On PostgreSQL, when no access is granted for the ``postgres`` database,
Django now falls back to the default database when it normally requires a
"no database" connection (:ticket:`24791`).

* Fixed display of ``contrib.admin``’s ``ForeignKey`` widget when it's used
in a row with other fields (:ticket:`24784`).


==========================

==========================

*May 1, 2015*

Django 1.8.1 fixes several bugs in 1.8 and includes some optimizations in the
migrations framework.

Bugfixes
========

* Added support for serializing :class:`~datetime.timedelta` objects in
migrations (:ticket:`24566`).

* Restored proper parsing of the :djadmin:`testserver` command's positional
arguments (fixture names) (:ticket:`24571`).

* Prevented ``TypeError`` in translation functions ``check_for_language()`` and
``get_language_bidi()`` when translations are deactivated (:ticket:`24569`).

* Fixed :djadmin:`squashmigrations` command when using
:class:`~django.db.migrations.operations.SeparateDatabaseAndState`
(:ticket:`24278`).

* Stripped microseconds from ``datetime`` values when using an older version of
the MySQLdb DB API driver as it does not support fractional seconds
(:ticket:`24584`).

* Fixed a migration crash when altering
:class:`~django.db.models.ManyToManyField`\s (:ticket:`24513`).

* Fixed a crash with ``QuerySet.update()`` on foreign keys to one-to-one fields
(:ticket:`24578`).

* Fixed a regression in the model detail view of
:mod:`~django.contrib.admindocs` when a model has a reverse foreign key
relation (:ticket:`24624`).

* Prevented arbitrary file inclusions in :mod:`~django.contrib.admindocs`
(:ticket:`24625`).

* Fixed a crash with ``QuerySet.update()`` on foreign keys to instances with
``uuid`` primary keys (:ticket:`24611`).

* Fixed database introspection with SQLite 3.8.9 (released April 8, 2015)
(:ticket:`24637`).

* Updated ``urlpatterns`` examples generated by :djadmin:`startproject` to
remove usage of referencing views by dotted path in
``django.conf.urls.url()`` which is deprecated in Django 1.8
(:ticket:`24635`).

* Fixed queries where an expression was referenced in ``order_by()``, but wasn't
part of the select clause. An example query is
``qs.annotate(foo=F('field')).values('pk').order_by('foo'))`` (:ticket:`24615`).

* Fixed a database table name quoting regression (:ticket:`24605`).

* Prevented the loss of ``null``/``not null`` column properties during field
alteration of MySQL databases (:ticket:`24595`).

* Fixed JavaScript path of ``contrib.admin``’s related field widget when using
alternate static file storages (:ticket:`24655`).

* Fixed a migration crash when adding new relations to models
(:ticket:`24573`).

* Fixed a migration crash when applying migrations with model managers on
Python 3 that were generated on Python 2 (:ticket:`24701`).

* Restored the ability to use iterators as queryset filter arguments
(:ticket:`24719`).

* Fixed a migration crash when renaming the target model of a many-to-many
relation (:ticket:`24725`).

* Removed flushing of the test database with :option:`test --keepdb`, which
prevented apps with data migrations from using the option (:ticket:`24729`).

* Fixed ``makemessages`` crash in some locales (:ticket:`23271`).

* Fixed help text positioning of ``contrib.admin`` fields that use the
``ModelAdmin.filter_horizontal`` and ``filter_vertical`` options
(:ticket:`24676`).

* Fixed ``AttributeError: function 'GDALAllRegister' not found`` error when
initializing ``contrib.gis`` on Windows.

Optimizations
=============

* Changed ``ModelState`` to deepcopy fields instead of deconstructing and
reconstructing (:ticket:`24591`). This speeds up the rendering of model
states and reduces memory usage when running :djadmin:`manage.py migrate
<migrate>` (although other changes in this release may negate any performance
benefits).


========================