Django

==========================

*August 20, 2014*

Django 1.6.6 fixes several security issues and bugs in 1.6.5.

``reverse()`` could generate URLs pointing to other hosts
=========================================================

In certain situations, URL reversing could generate scheme-relative URLs (URLs
starting with two slashes), which could unexpectedly redirect a user to a
different host. An attacker could exploit this, for example, by redirecting
users to a phishing site designed to ask for user's passwords.

To remedy this, URL reversing now ensures that no URL starts with two slashes
(//), replacing the second slash with its URL encoded counterpart (%2F). This
approach ensures that semantics stay the same, while making the URL relative to
the domain and not to the scheme.

File upload denial-of-service
=============================

Before this release, Django's file upload handing in its default configuration
may degrade to producing a huge number of ``os.stat()`` system calls when a
duplicate filename is uploaded. Since ``stat()`` may invoke IO, this may produce
a huge data-dependent slowdown that slowly worsens over time. The net result is
that given enough time, a user with the ability to upload files can cause poor
performance in the upload handler, eventually causing it to become very slow
simply by uploading 0-byte files. At this point, even a slow network connection
and few HTTP requests would be all that is necessary to make a site unavailable.

We've remedied the issue by changing the algorithm for generating file names
if a file with the uploaded name already exists.
:meth:`Storage.get_available_name()
<django.core.files.storage.Storage.get_available_name>` now appends an
underscore plus a random 7 character alphanumeric string (e.g. ``"_x3a1gho"``),
rather than iterating through an underscore followed by a number (e.g. ``"_1"``,
``"_2"``, etc.).

``RemoteUserMiddleware`` session hijacking
==========================================

When using the :class:`~django.contrib.auth.middleware.RemoteUserMiddleware`
and the ``RemoteUserBackend``, a change to the ``REMOTE_USER`` header between
requests without an intervening logout could result in the prior user's session
being co-opted by the subsequent user. The middleware now logs the user out on
a failed login attempt.

Data leakage via query string manipulation in ``contrib.admin``
===============================================================

In older versions of Django it was possible to reveal any field's data by
modifying the "popup" and "to_field" parameters of the query string on an admin
change form page. For example, requesting a URL like
``/admin/auth/user/?_popup=1&t=password`` and viewing the page's HTML allowed
viewing the password hash of each user. While the admin requires users to have
permissions to view the change form pages in the first place, this could leak
data if you rely on users having access to view only certain fields on a model.

To address the issue, an exception will now be raised if a ``to_field`` value
that isn't a related field to a model that has been registered with the admin
is specified.

Bugfixes
========

* Corrected email and URL validation to reject a trailing dash
(:ticket:`22579`).

* Prevented indexes on PostgreSQL virtual fields (:ticket:`22514`).

* Prevented edge case where values of FK fields could be initialized with a
wrong value when an inline model formset is created for a relationship
defined to point to a field other than the PK (:ticket:`13794`).

* Restored ``pre_delete`` signals for ``GenericRelation`` cascade deletion
(:ticket:`22998`).

* Fixed transaction handling when specifying non-default database in
``createcachetable`` and ``flush`` (:ticket:`23089`).

* Fixed the "ORA-01843: not a valid month" errors when using Unicode
with older versions of Oracle server (:ticket:`20292`).

* Restored bug fix for sending Unicode email with Python 2.6.5 and below
(:ticket:`19107`).

* Prevented ``UnicodeDecodeError`` in ``runserver`` with non-UTF-8 and
non-English locale (:ticket:`23265`).

* Fixed JavaScript errors while editing multi-geometry objects in the OpenLayers
widget (:ticket:`23137`, :ticket:`23293`).

* Prevented a crash on Python 3 with query strings containing unencoded
non-ASCII characters (:ticket:`22996`).


==========================

==========================

*May 14, 2014*

Django 1.6.5 fixes two security issues and several bugs in 1.6.4.

Issue: Caches may incorrectly be allowed to store and serve private data
========================================================================

In certain situations, Django may allow caches to store private data
related to a particular session and then serve that data to requests
with a different session, or no session at all. This can lead to
information disclosure and can be a vector for cache poisoning.

When using Django sessions, Django will set a ``Vary: Cookie`` header to
ensure caches do not serve cached data to requests from other sessions.
However, older versions of Internet Explorer (most likely only Internet
Explorer 6, and Internet Explorer 7 if run on Windows XP or Windows Server
2003) are unable to handle the ``Vary`` header in combination with many content
types. Therefore, Django would remove the header if the request was made by
Internet Explorer.

To remedy this, the special behavior for these older Internet Explorer versions
has been removed, and the ``Vary`` header is no longer stripped from the response.
In addition, modifications to the ``Cache-Control`` header for all Internet Explorer
requests with a ``Content-Disposition`` header have also been removed as they
were found to have similar issues.

Issue: Malformed redirect URLs from user input not correctly validated
======================================================================

The validation for redirects did not correctly validate some malformed URLs,
which are accepted by some browsers. This allows a user to be redirected to
an unsafe URL unexpectedly.

Django relies on user input in some cases (e.g.
``django.contrib.auth.views.login()``, ``django.contrib.comments``, and
:doc:`i18n </topics/i18n/index>`) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
``django.utils.http.is_safe_url()``) did not correctly validate some malformed
URLs, such as ``http:\\\\\\djangoproject.com``, which are accepted by some
browsers with more liberal URL parsing.

To remedy this, the validation in ``is_safe_url()`` has been tightened to be able
to handle and correctly validate these malformed URLs.

Bugfixes
========

* Made the ``year_lookup_bounds_for_datetime_field`` Oracle backend method
Python 3 compatible (:ticket:`22551`).

* Fixed ``pgettext_lazy`` crash when receiving bytestring content on Python 2
(:ticket:`22565`).

* Fixed the SQL generated when filtering by a negated ``Q`` object that contains
a ``F`` object. (:ticket:`22429`).

* Avoided overwriting data fetched by ``select_related()`` in certain cases
which could cause minor performance regressions
(:ticket:`22508`).


==========================

==========================

*April 28, 2014*

Django 1.6.4 fixes several bugs in 1.6.3.

Bugfixes
========

* Added backwards compatibility support for the :mod:`django.contrib.messages`
cookie format of Django 1.4 and earlier to facilitate upgrading to 1.6 from
1.4 (:ticket:`22426`).

* Restored the ability to ``reverse()`` views created using
:func:`functools.partial()` (:ticket:`22486`).

* Fixed the ``object_id`` of the ``LogEntry`` that's created after a user
password change in the admin (:ticket:`22515`).


==========================

==========================

*April 21, 2014*

Django 1.6.3 fixes several bugs in 1.6.2, including three security issues,
and makes one backwards-incompatible change:

Unexpected code execution using ``reverse()``
=============================================

Django's URL handling is based on a mapping of regex patterns
(representing the URLs) to callable views, and Django's own processing
consists of matching a requested URL against those patterns to
determine the appropriate view to invoke.

Django also provides a convenience function -- ``reverse()`` -- which performs
this process in the opposite direction. The ``reverse()`` function takes
information about a view and returns a URL which would invoke that view. Use
of ``reverse()`` is encouraged for application developers, as the output of
``reverse()`` is always based on the current URL patterns, meaning developers
do not need to change other code when making changes to URLs.

One argument signature for ``reverse()`` is to pass a dotted Python
path to the desired view. In this situation, Django will import the
module indicated by that dotted path as part of generating the
resulting URL. If such a module has import-time side effects, those
side effects will occur.

Thus it is possible for an attacker to cause unexpected code
execution, given the following conditions:

1. One or more views are present which construct a URL based on user
input (commonly, a "next" parameter in a querystring indicating
where to redirect upon successful completion of an action).

2. One or more modules are known to an attacker to exist on the
server's Python import path, which perform code execution with side
effects on importing.

To remedy this, ``reverse()`` will now only accept and import dotted
paths based on the view-containing modules listed in the project's :doc:`URL
pattern configuration </topics/http/urls>`, so as to ensure that only modules
the developer intended to be imported in this fashion can or will be imported.

Caching of anonymous pages could reveal CSRF token
==================================================

Django includes both a :doc:`caching framework </topics/cache>` and a system
for :doc:`preventing cross-site request forgery (CSRF) attacks
</ref/csrf/>`. The CSRF-protection system is based on a random nonce
sent to the client in a cookie which must be sent by the client on future
requests and, in forms, a hidden value which must be submitted back with the
form.

The caching framework includes an option to cache responses to
anonymous (i.e., unauthenticated) clients.

When the first anonymous request to a given page is by a client which
did not have a CSRF cookie, the cache framework will also cache the
CSRF cookie and serve the same nonce to other anonymous clients who
do not have a CSRF cookie. This can allow an attacker to obtain a
valid CSRF cookie value and perform attacks which bypass the check for
the cookie.

To remedy this, the caching framework will no longer cache such
responses. The heuristic for this will be:

1. If the incoming request did not submit any cookies, and

2. If the response did send one or more cookies, and

3. If the ``Vary: Cookie`` header is set on the response, then the
response will not be cached.

MySQL typecasting
=================

The MySQL database is known to "typecast" on certain queries; for
example, when querying a table which contains string values, but using
a query which filters based on an integer value, MySQL will first
silently coerce the strings to integers and return a result based on that.

If a query is performed without first converting values to the
appropriate type, this can produce unexpected results, similar to what
would occur if the query itself had been manipulated.

Django's model field classes are aware of their own types and most
such classes perform explicit conversion of query arguments to the
correct database-level type before querying. However, three model
field classes did not correctly convert their arguments:

* :class:`~django.db.models.FilePathField`
* :class:`~django.db.models.GenericIPAddressField`
* ``IPAddressField``

These three fields have been updated to convert their arguments to the
correct types before querying.

Additionally, developers of custom model fields are now warned via
documentation to ensure their custom field classes will perform
appropriate type conversions, and users of the :meth:`raw()
<django.db.models.query.QuerySet.raw>` and :meth:`extra()
<django.db.models.query.QuerySet.extra>` query methods -- which allow the
developer to supply raw SQL or SQL fragments -- will be advised to ensure they
perform appropriate manual type conversions prior to executing queries.

``select_for_update()`` requires a transaction
==============================================

Historically, queries that use
:meth:`~django.db.models.query.QuerySet.select_for_update()` could be
executed in autocommit mode, outside of a transaction. Before Django
1.6, Django's automatic transactions mode allowed this to be used to
lock records until the next write operation. Django 1.6 introduced
database-level autocommit; since then, execution in such a context
voids the effect of ``select_for_update()``. It is, therefore, assumed
now to be an error and raises an exception.

This change was made because such errors can be caused by including an
app which expects global transactions (e.g. :setting:`ATOMIC_REQUESTS
<DATABASE-ATOMIC_REQUESTS>` set to ``True``), or Django's old autocommit
behavior, in a project which runs without them; and further, such
errors may manifest as data-corruption bugs.

This change may cause test failures if you use ``select_for_update()``
in a test class which is a subclass of
:class:`~django.test.TransactionTestCase` rather than
:class:`~django.test.TestCase`.

Other bugfixes and changes
==========================

* Content retrieved from the GeoIP library is now properly decoded from its
default ``iso-8859-1`` encoding
(:ticket:`21996`).

* Fixed ``AttributeError`` when using
:meth:`~django.db.models.query.QuerySet.bulk_create` with ``ForeignObject``
(:ticket:`21566`).

* Fixed crash of ``QuerySet``\s that use ``F() + timedelta()`` when their query
was compiled more once
(:ticket:`21643`).

* Prevented custom ``widget`` class attribute of
:class:`~django.forms.IntegerField` subclasses from being overwritten by the
code in their ``__init__`` method
(:ticket:`22245`).

* Improved :func:`~django.utils.html.strip_tags` accuracy (but it still cannot
guarantee an HTML-safe result, as stated in the documentation).

* Fixed a regression in the :mod:`django.contrib.gis` SQL compiler for
non-concrete fields (:ticket:`22250`).

* Fixed :attr:`ModelAdmin.preserve_filters
<django.contrib.admin.ModelAdmin.preserve_filters>` when running a site with
a URL prefix (:ticket:`21795`).

* Fixed a crash in the ``find_command`` management utility when the ``PATH``
environment variable wasn't set
(:ticket:`22256`).

* Fixed :djadmin:`changepassword` on Windows
(:ticket:`22364`).

* Avoided shadowing deadlock exceptions on MySQL
(:ticket:`22291`).

* Wrapped database exceptions in ``_set_autocommit``
(:ticket:`22321`).

* Fixed atomicity when closing a database connection or when the database server
disconnects (:ticket:`21239` and :ticket:`21202`)

* Fixed regression in ``prefetch_related`` that caused the related objects
query to include an unnecessary join
(:ticket:`21760`).

Additionally, Django's vendored version of six, ``django.utils.six`` has been
upgraded to the latest release (1.6.1).


==========================

==========================

*February 6, 2014*

This is Django 1.6.2, a bugfix release for Django 1.6. Django 1.6.2 fixes
several bugs in 1.6.1:

* Prevented the base geometry object of a prepared geometry to be garbage
collected, which could lead to crash Django
(:ticket:`21662`).

* Fixed a crash when executing the :djadmin:`changepassword` command when the
user object representation contained non-ASCII characters
(:ticket:`21627`).

* The :djadmin:`collectstatic` command will raise an error rather than
default to using the current working directory if :setting:`STATIC_ROOT` is
not set. Combined with the ``--clear`` option, the previous behavior could
wipe anything below the current working directory
(:ticket:`21581`).

* Fixed mail encoding on Python 3.3.3+
(:ticket:`21093`).

* Fixed an issue where when
``settings.DATABASES['default']['AUTOCOMMIT'] = False``, the connection
wasn't in autocommit mode but Django pretended it was.

* Fixed a regression in multiple-table inheritance ``exclude()`` queries
(:ticket:`21787`).

* Added missing items to ``django.utils.timezone.__all__``
(:ticket:`21880`).

* Fixed a field misalignment issue with ``select_related()`` and model
inheritance
(:ticket:`21413`).

* Fixed join promotion for negated ``AND`` conditions
(:ticket:`21748`).

* Oracle database introspection now works with boolean and float fields
(:ticket:`19884`).

* Fixed an issue where lazy objects weren't actually marked as safe when passed
through :func:`~django.utils.safestring.mark_safe` and could end up being
double-escaped (:ticket:`21882`).

Additionally, Django's vendored version of six, ``django.utils.six`` has been
upgraded to the latest release (1.5.2).


==========================

==========================

*December 12, 2013*

This is Django 1.6.1, a bugfix release for Django 1.6. In addition to the bug
fixes listed below, translations submitted since the 1.6 release are also
included.

Bug fixes
=========

* Fixed ``BCryptSHA256PasswordHasher`` with ``py-bcrypt`` and Python 3
(21398).
* Fixed a regression that prevented a ``ForeignKey`` with a hidden reverse
manager (``related_name`` ending with '+') from being used as a lookup for
``prefetch_related`` (21410).
* Fixed :meth:`Queryset.datetimes<django.db.models.query.QuerySet.datetimes>`
raising ``AttributeError`` in some situations (21432).
* Fixed :class:`~django.contrib.auth.backends.ModelBackend` raising
``UnboundLocalError`` if :func:`~django.contrib.auth.get_user_model`
raised an error (21439).
* Fixed a regression that prevented editable ``GenericRelation`` subclasses
from working in ``ModelForms`` (21428).
* Added missing ``to_python`` method for ``ModelMultipleChoiceField`` which
is required in Django 1.6 to properly detect changes from initial values
(21568).
* Fixed ``django.contrib.humanize`` translations where the Unicode sequence
for the non-breaking space was returned verbatim (21415).
* Fixed :djadmin:`loaddata` error when fixture file name contained any dots
not related to file extensions (21457) or when fixture path was relative
but located in a subdirectory (21551).
* Fixed display of inline instances in formsets when parent has 0 for primary
key (21472).
* Fixed a regression where custom querysets for foreign keys were overwritten
if ``ModelAdmin`` had ordering set (21405).
* Removed mention of a feature in the ``--locale``/``-l`` option of the
``makemessages`` and ``compilemessages`` commands that never worked as
promised: Support of multiple locale names separated by commas. It's still
possible to specify multiple locales in one run by using the option
multiple times (21488, 17181).
* Fixed a regression that unnecessarily triggered settings configuration when
importing ``get_wsgi_application`` (21486).
* Fixed test client ``logout()`` method when using the cookie-based session
backend (21448).
* Fixed a crash when a ``GeometryField`` uses a non-geometric widget (21496).
* Fixed password hash upgrade when changing the iteration count (21535).
* Fixed a bug in the debug view when the URLconf only contains one element
(21530).
* Re-added missing search result count and reset link in changelist admin view
(21510).
* The current language is no longer saved to the session by ``LocaleMiddleware``
on every response, but rather only after a logout (21473).
* Fixed a crash when executing ``runserver`` on non-English systems and when the
formatted date in its output contained non-ASCII characters (21358).
* Fixed a crash in the debug view after an exception occurred on Python ≥ 3.3
(21443).
* Fixed a crash in :class:`~django.db.models.ImageField` on some platforms
(Homebrew and RHEL6 reported) (21355).
* Fixed a regression when using generic relations in ``ModelAdmin.list_filter``
(21431).


=========================