Django

==========================

*March 9, 2015*

Django 1.7.6 fixes a security issue and several bugs in 1.7.5.

Mitigated an XSS attack via properties in ``ModelAdmin.readonly_fields``
========================================================================

The :attr:`ModelAdmin.readonly_fields
<django.contrib.admin.ModelAdmin.readonly_fields>` attribute in the Django
admin allows displaying model fields and model attributes. While the former
were correctly escaped, the latter were not. Thus untrusted content could be
injected into the admin, presenting an exploitation vector for XSS attacks.

In this vulnerability, every model attribute used in ``readonly_fields`` that
is not an actual model field (e.g. a :class:`property`) will **fail to be
escaped** even if that attribute is not marked as safe. In this release,
autoescaping is now correctly applied.

Bugfixes
========

* Fixed crash when coercing ``ManyRelatedManager`` to a string
(:ticket:`24352`).

* Fixed a bug that prevented migrations from adding a foreign key constraint
when converting an existing field to a foreign key (:ticket:`24447`).


==========================

==========================

*February 25, 2015*

Django 1.7.5 fixes several bugs in 1.7.4.

Bugfixes
========

* Reverted a fix that prevented a migration crash when unapplying
``contrib.contenttypes``’s or ``contrib.auth``’s first migration
(:ticket:`24075`) due to severe impact on the test performance
(:ticket:`24251`) and problems in multi-database setups (:ticket:`24298`).

* Fixed a regression that prevented custom fields inheriting from
``ManyToManyField`` from being recognized in migrations (:ticket:`24236`).

* Fixed crash in ``contrib.sites`` migrations when a default database isn't
used (:ticket:`24332`).

* Added the ability to set the isolation level on PostgreSQL with psycopg2 ≥
2.4.2 (:ticket:`24318`). It was advertised as a new feature in Django 1.6
but it didn't work in practice.

* Formats for the Azerbaijani locale (``az``) have been added.


==========================

==========================

*January 27, 2015*

Django 1.7.4 fixes several bugs in 1.7.3.

Bugfixes
========

* Fixed a migration crash when unapplying ``contrib.contenttypes``’s or
``contrib.auth``’s first migration (:ticket:`24075`).

* Made the migration's ``RenameModel`` operation rename ``ManyToManyField``
tables (:ticket:`24135`).

* Fixed a migration crash on MySQL when migrating from a ``OneToOneField`` to a
``ForeignKey`` (:ticket:`24163`).

* Prevented the ``static.serve`` view from producing ``ResourceWarning``\s in
certain circumstances (security fix regression, :ticket:`24193`).

* Fixed schema check for ManyToManyField to look for internal type instead
of checking class instance, so you can write custom m2m-like fields with the
same behavior. (:ticket:`24104`).


==========================

==========================

*January 13, 2015*

Django 1.7.3 fixes several security issues and bugs in 1.7.2.

WSGI header spoofing via underscore/dash conflation
===================================================

When HTTP headers are placed into the WSGI environ, they are normalized by
converting to uppercase, converting all dashes to underscores, and prepending
``HTTP_``. For instance, a header ``X-Auth-User`` would become
``HTTP_X_AUTH_USER`` in the WSGI environ (and thus also in Django's
``request.META`` dictionary).

Unfortunately, this means that the WSGI environ cannot distinguish between
headers containing dashes and headers containing underscores: ``X-Auth-User``
and ``X-Auth_User`` both become ``HTTP_X_AUTH_USER``. This means that if a
header is used in a security-sensitive way (for instance, passing
authentication information along from a front-end proxy), even if the proxy
carefully strips any incoming value for ``X-Auth-User``, an attacker may be
able to provide an ``X-Auth_User`` header (with underscore) and bypass this
protection.

In order to prevent such attacks, both Nginx and Apache 2.4+ strip all headers
containing underscores from incoming requests by default. Django's built-in
development server now does the same. Django's development server is not
recommended for production use, but matching the behavior of common production
servers reduces the surface area for behavior changes during deployment.

Mitigated possible XSS attack via user-supplied redirect URLs
=============================================================

Django relies on user input in some cases (e.g.
``django.contrib.auth.views.login()`` and :doc:`i18n </topics/i18n/index>`)
to redirect the user to an "on success" URL. The security checks for these
redirects (namely ``django.utils.http.is_safe_url()``) didn't strip leading
whitespace on the tested URL and as such considered URLs like
``\njavascript:...`` safe. If a developer relied on ``is_safe_url()`` to
provide safe redirect targets and put such a URL into a link, they could suffer
from a XSS attack. This bug doesn't affect Django currently, since we only put
this URL into the ``Location`` response header and browsers seem to ignore
JavaScript there.

Denial-of-service attack against ``django.views.static.serve``
==============================================================

In older versions of Django, the :func:`django.views.static.serve` view read
the files it served one line at a time. Therefore, a big file with no newlines
would result in memory usage equal to the size of that file. An attacker could
exploit this and launch a denial-of-service attack by simultaneously requesting
many large files. This view now reads the file in chunks to prevent large
memory usage.

Note, however, that this view has always carried a warning that it is not
hardened for production use and should be used only as a development aid. Now
may be a good time to audit your project and serve your files in production
using a real front-end web server if you are not doing so.

Database denial-of-service with ``ModelMultipleChoiceField``
============================================================

Given a form that uses ``ModelMultipleChoiceField`` and
``show_hidden_initial=True`` (not a documented API), it was possible for a user
to cause an unreasonable number of SQL queries by submitting duplicate values
for the field's data. The validation logic in ``ModelMultipleChoiceField`` now
deduplicates submitted values to address this issue.

Bugfixes
========

* The default iteration count for the PBKDF2 password hasher has been
increased by 25%. This part of the normal major release process was
inadvertently omitted in 1.7. This backwards compatible change will not
affect users who have subclassed
``django.contrib.auth.hashers.PBKDF2PasswordHasher`` to change the
default value.

* Fixed a crash in the CSRF middleware when handling non-ASCII referer header
(:ticket:`23815`).

* Fixed a crash in the ``django.contrib.auth.redirect_to_login`` view when
passing a ``reverse_lazy()`` result on Python 3 (:ticket:`24097`).

* Added correct formats for Greek (``el``) (:ticket:`23967`).

* Fixed a migration crash when unapplying a migration where multiple operations
interact with the same model (:ticket:`24110`).


==========================

==========================

*January 2, 2015*

Django 1.7.2 fixes several bugs in 1.7.1.

Additionally, Django's vendored version of six, ``django.utils.six``, has
been upgraded to the latest release (1.9.0).

Bugfixes
========

* Fixed migration's renaming of auto-created many-to-many tables when changing
:attr:`Meta.db_table <django.db.models.Options.db_table>` (:ticket:`23630`).

* Fixed a migration crash when adding an explicit ``id`` field to a model on
SQLite (:ticket:`23702`).

* Added a warning for duplicate models when a module is reloaded. Previously a
``RuntimeError`` was raised every time two models clashed in the app registry.
(:ticket:`23621`).

* Prevented :djadmin:`flush` from loading initial data for migrated apps
(:ticket:`23699`).

* Fixed a :djadmin:`makemessages` regression in 1.7.1 when
:setting:`STATIC_ROOT` has the default ``None`` value (:ticket:`23717`).

* Added GeoDjango compatibility with mysqlclient database driver.

* Fixed MySQL 5.6+ crash with ``GeometryField``\s in migrations
(:ticket:`23719`).

* Fixed a migration crash when removing a field that is referenced in
``AlterIndexTogether`` or ``AlterUniqueTogether`` (:ticket:`23614`).

* Updated the first day of the week in the Ukrainian locale to Monday.

* Added support for transactional spatial metadata initialization on
SpatiaLite 4.1+ (:ticket:`23152`).

* Fixed a migration crash that prevented changing a nullable field with a
default to non-nullable with the same default (:ticket:`23738`).

* Fixed a migration crash when adding ``GeometryField``\s with ``blank=True``
on PostGIS (:ticket:`23731`).

* Allowed usage of ``DateTimeField()`` as ``Transform.output_field``
(:ticket:`23420`).

* Fixed a migration serializing bug involving ``float("nan")`` and
``float("inf")`` (:ticket:`23770`).

* Fixed a regression where custom form fields having a ``queryset`` attribute
but no ``limit_choices_to`` could not be used in a
:class:`~django.forms.ModelForm` (:ticket:`23795`).

* Fixed a custom field type validation error with MySQL backend when
``db_type`` returned ``None`` (:ticket:`23761`).

* Fixed a migration crash when a field is renamed that is part of an
``index_together`` (:ticket:`23859`).

* Fixed :djadmin:`squashmigrations` to respect the ``--no-optimize`` parameter
(:ticket:`23799`).

* Made :class:`~django.db.migrations.operations.RenameModel` reversible
(:ticket:`22248`)

* Avoided unnecessary rollbacks of migrations from other apps when migrating
backwards (:ticket:`23410`).

* Fixed a rare query error when using deeply nested subqueries
(:ticket:`23605`).

* Fixed a crash in migrations when deleting a field that is part of a
``index/unique_together`` constraint (:ticket:`23794`).

* Fixed ``django.core.files.File.__repr__()`` when the file's ``name`` contains
Unicode characters (:ticket:`23888`).

* Added missing context to the admin's ``delete_selected`` view that prevented
custom site header, etc. from appearing (:ticket:`23898`).

* Fixed a regression with dynamically generated inlines and allowed field
references in the admin (:ticket:`23754`).

* Fixed an infinite loop bug for certain cyclic migration dependencies, and made
the error message for cyclic dependencies much more helpful.

* Added missing ``index_together`` handling for SQLite (:ticket:`23880`).

* Fixed a crash when ``RunSQL`` SQL content was collected by the schema editor,
typically when using ``sqlmigrate`` (:ticket:`23909`).

* Fixed a regression in ``contrib.admin`` add/change views which caused some
``ModelAdmin`` methods to receive the incorrect ``obj`` value
(:ticket:`23934`).

* Fixed ``runserver`` crash when socket error message contained Unicode
characters (:ticket:`23946`).

* Fixed serialization of ``type`` when adding a ``deconstruct()`` method
(:ticket:`23950`).

* Prevented the
``django.contrib.auth.middleware.SessionAuthenticationMiddleware`` from
setting a ``"Vary: Cookie"`` header on all responses (:ticket:`23939`).

* Fixed a crash when adding ``blank=True`` to ``TextField()`` on MySQL
(:ticket:`23920`).

* Fixed index creation by the migration infrastructure, particularly when
dealing with PostgreSQL specific ``{text|varchar}_pattern_ops`` indexes
(:ticket:`23954`).

* Fixed bug in ``makemigrations`` that created broken migration files when
dealing with multiple table inheritance and inheriting from more than one
model (:ticket:`23956`).

* Fixed a crash when a ``MultiValueField`` has invalid data (:ticket:`23674`).

* Fixed a crash in the admin when using "Save as new" and also deleting a
related inline (:ticket:`23857`).

* Always converted ``related_name`` to text (Unicode), since that is required
on Python 3 for interpolation. Removed conversion of ``related_name`` to text
in migration deconstruction (:ticket:`23455` and :ticket:`23982`).

* Enlarged the sizes of tablespaces which are created by default for testing
on Oracle (the main tablespace was increased from 200M to 300M and the
temporary tablespace from 100M to 150M). This was required to accommodate
growth in Django's own test suite (:ticket:`23969`).

* Fixed ``timesince`` filter translations in Korean (:ticket:`23989`).

* Fixed the SQLite ``SchemaEditor`` to properly add defaults in the absence of
a user specified ``default``. For example, a ``CharField`` with ``blank=True``
didn't set existing rows to an empty string which resulted in a crash when
adding the ``NOT NULL`` constraint (:ticket:`23987`).

* ``makemigrations`` no longer prompts for a default value when adding
``TextField()`` or ``CharField()`` without a ``default`` (:ticket:`23405`).

* Fixed a migration crash when adding ``order_with_respect_to`` to a table
with existing rows (:ticket:`23983`).

* Restored the ``pre_migrate`` signal if all apps have migrations
(:ticket:`23975`).

* Made admin system checks run for custom ``AdminSite``\s (:ticket:`23497`).

* Ensured the app registry is fully populated when unpickling models. When an
external script (like a queueing infrastructure) reloads pickled models, it
could crash with an ``AppRegistryNotReady`` exception (:ticket:`24007`).

* Added quoting to field indexes in the SQL generated by migrations to prevent
a crash when the index name requires it (:ticket:`24015`).

* Added ``datetime.time`` support to migrations questioner (:ticket:`23998`).

* Fixed admindocs crash on apps installed as eggs (:ticket:`23525`).

* Changed migrations autodetector to generate an ``AlterModelOptions`` operation
instead of ``DeleteModel`` and ``CreateModel`` operations when changing
``Meta.managed``. This prevents data loss when changing ``managed`` from
``False`` to ``True`` and vice versa (:ticket:`24037`).

* Enabled the ``sqlsequencereset`` command on apps with migrations
(:ticket:`24054`).

* Added tablespace SQL to apps with migrations (:ticket:`24051`).

* Corrected ``contrib.sites`` default site creation in a multiple database
setup (:ticket:`24000`).

* Restored support for objects that aren't :class:`str` or :class:`bytes` in
``django.utils.safestring.mark_for_escaping()`` on Python 3.

* Supported strings escaped by third-party libraries with the ``__html__``
convention in the template engine (:ticket:`23831`).

* Prevented extraneous ``DROP DEFAULT`` SQL in migrations (:ticket:`23581`).

* Restored the ability to use more than five levels of subqueries
(:ticket:`23758`).

* Fixed crash when ``ValidationError`` is initialized with a ``ValidationError``
that is initialized with a dictionary (:ticket:`24008`).

* Prevented a crash on apps without migrations when running ``migrate --list``
(:ticket:`23366`).


==========================

==========================

*October 22, 2014*

Django 1.7.1 fixes several bugs in 1.7.

Bugfixes
========

* Allowed related many-to-many fields to be referenced in the admin
(:ticket:`23604`).

* Added a more helpful error message if you try to migrate an app without first
creating the ``contenttypes`` table (:ticket:`22411`).

* Modified migrations dependency algorithm to avoid possible infinite recursion.

* Fixed a ``UnicodeDecodeError`` when the ``flush`` error message contained
Unicode characters (:ticket:`22882`).

* Reinstated missing ``CHECK`` SQL clauses which were omitted on some backends
when not using migrations (:ticket:`23416`).

* Fixed serialization of ``type`` objects in migrations (:ticket:`22951`).

* Allowed inline and hidden references to admin fields (:ticket:`23431`).

* The ``deconstructible`` decorator now fails with a ``ValueError`` if the
decorated object cannot automatically be imported (:ticket:`23418`).

* Fixed a typo in an ``inlineformset_factory()`` error message that caused a
crash (:ticket:`23451`).

* Restored the ability to use :setting:`ABSOLUTE_URL_OVERRIDES` with the
``'auth.User'`` model (:ticket:`11775`). As a side effect, the setting now
adds a ``get_absolute_url()`` method to any model that appears in
``ABSOLUTE_URL_OVERRIDES`` but doesn't define ``get_absolute_url()``.

* Avoided masking some ``ImportError`` exceptions during application loading
(:ticket:`22920`).

* Empty ``index_together`` or ``unique_together`` model options no longer
results in infinite migrations (:ticket:`23452`).

* Fixed crash in ``contrib.sitemaps`` if ``lastmod`` returned a ``date`` rather
than a ``datetime`` (:ticket:`23403`).

* Allowed migrations to work with ``app_label``\s that have the same last
part (e.g. ``django.contrib.auth`` and ``vendor.auth``) (:ticket:`23483`).

* Restored the ability to deepcopy ``F`` objects (:ticket:`23492`).

* Formats for Welsh (``cy``) and several Chinese locales (``zh_CN``,
``zh_Hans``, ``zh_Hant`` and ``zh_TW``) have been added. Formats for
Macedonian have been fixed (trailing dot removed, :ticket:`23532`).

* Added quoting of constraint names in the SQL generated by migrations to
prevent crash with uppercase characters in the name (:ticket:`23065`).

* Fixed renaming of models with a self-referential many-to-many field
(``ManyToManyField('self')``) (:ticket:`23503`).

* Added the :meth:`~django.contrib.admin.InlineModelAdmin.get_extra()`,
:meth:`~django.contrib.admin.InlineModelAdmin.get_max_num()`, and
:meth:`~django.contrib.admin.InlineModelAdmin.get_min_num()` hooks to
:class:`~django.contrib.contenttypes.admin.GenericInlineModelAdmin`
(:ticket:`23539`).

* Made ``migrations.RunSQL`` no longer require percent sign escaping. This is
now consistent with ``cursor.execute()`` (:ticket:`23426`).

* Made the ``SERIALIZE`` entry in the :setting:`TEST <DATABASE-TEST>`
dictionary usable (:ticket:`23421`).

* Fixed bug in migrations that prevented foreign key constraints to unmanaged
models with a custom primary key (:ticket:`23415`).

* Added ``SchemaEditor`` for MySQL GIS backend so that spatial indexes will be
created for apps with migrations (:ticket:`23538`).

* Added ``SchemaEditor`` for Oracle GIS backend so that spatial metadata and
indexes will be created for apps with migrations (:ticket:`23537`).

* Coerced the ``related_name`` model field option to Unicode during migration
generation to generate migrations that work with both Python 2 and 3
(:ticket:`23455`).

* Fixed ``MigrationWriter`` to handle builtin types without imports
(:ticket:`23560`).

* Fixed ``deepcopy`` on ``ErrorList`` (:ticket:`23594`).

* Made the :mod:`~django.contrib.admindocs` view to browse view details check
if the view specified in the URL exists in the URLconf. Previously it was
possible to import arbitrary packages from the Python path. This was not
considered a security issue because ``admindocs`` is only accessible to staff
users (:ticket:`23601`).

* Fixed ``UnicodeDecodeError`` crash in ``AdminEmailHandler`` with non-ASCII
characters in the request (:ticket:`23593`).

* Fixed missing ``get_or_create`` and ``update_or_create`` on related managers
causing ``IntegrityError`` (:ticket:`23611`).

* Made :func:`~django.utils.http.urlsafe_base64_decode` return the proper
type (bytestring) on Python 3 (:ticket:`23333`).

* :djadmin:`makemigrations` can now serialize timezone-aware values
(:ticket:`23365`).

* Added a prompt to the migrations questioner when removing the null constraint
from a field to prevent an IntegrityError on existing NULL rows
(:ticket:`23609`).

* Fixed generic relations in ``ModelAdmin.list_filter`` (:ticket:`23616`).

* Restored RFC compliance for the SMTP backend on Python 3 (:ticket:`23063`).

* Fixed a crash while parsing cookies containing invalid content
(:ticket:`23638`).

* The system check framework now raises error **models.E020** when the
class method ``Model.check()`` is unreachable (:ticket:`23615`).

* Made the Oracle test database creation drop the test user in the event of an
unclean exit of a previous test run (:ticket:`23649`).

* Fixed :djadmin:`makemigrations` to detect changes to
:attr:`Meta.db_table <django.db.models.Options.db_table>` (:ticket:`23629`).

* Fixed a regression when feeding the Django test client with an empty data
string (:ticket:`21740`).

* Fixed a regression in :djadmin:`makemessages` where static files were
unexpectedly ignored (:ticket:`23583`).


========================