| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Django 2.2.16 fixes two security issues and two data loss bugs in 2.2.15.
CVE-2020-24583: Incorrect permissions on intermediate-level directories on Python 3.7+
On Python 3.7+, FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files and to intermediate-level collected static directories when using the collectstatic management command.
You should review and manually fix permissions on existing intermediate-level directories.
CVE-2020-24584: Permission escalation in intermediate-level directories of the file system cache on Python 3.7+
On Python 3.7+, the intermediate-level directories of the file system cache had the system’s standard umask rather than 0o077 (no group or others permissions).
Bugfixes
Fixed a data loss possibility in the select_for_update(). When using related fields pointing to a proxy model in the of argument, the corresponding model was not locked.
Fixed a data loss possibility, following a regression in Django 2.0, when copying model instances with a cached fields value.
Django 2.2.15 fixes two bugs in 2.2.14.
Bugfixes
Allowed setting the SameSite cookie flag in HttpResponse.delete_cookie().
Fixed crash when sending emails to addresses with display names longer than 75 chars on Python 3.6.11+, 3.7.8+, and 3.8.4+.
|
|
Django 2.2.14 fixes a bug in 2.2.13.
Bugfixes
Fixed messages of InvalidCacheKey exceptions and CacheKeyWarning warnings raised by cache key validation
|
|
Django 2.2.13 fixes two security issues and a regression in 2.2.12.
CVE-2020-13254: Potential data leakage via malformed memcached keys
In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collision, and potential data leakage. In order to avoid this vulnerability, key validation is added to the memcached cache backends.
CVE-2020-13596: Possible XSS via admin ForeignKeyRawIdWidget
Query parameters for the admin ForeignKeyRawIdWidget were not properly URL encoded, posing an XSS attack vector. ForeignKeyRawIdWidget now ensures query parameters are correctly URL encoded.
Bugfixes
Fixed a regression in Django 2.2.12 that affected translation loading for apps providing translations for territorial language variants as well as a generic language, where the project has different plural equations for the language.
Tracking a jQuery security release, upgraded the version of jQuery used by the admin from 3.3.1 to 3.5.1.
|
|
Django 2.2.12:
Added the ability to handle .po files containing different plural equations for the same language
|
|
Django 2.2.11 fixes a security issue and a data loss bug in 2.2.10.
CVE-2020-9402: Potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle
GIS functions and aggregates on Oracle were subject to SQL injection, using a suitably crafted tolerance.
Bugfixes
Fixed a data loss possibility in the select_for_update(). When using related fields or parent link fields with Multi-table inheritance in the of argument, the corresponding models were not locked
|
|
Django 2.2.10 fixes a security issue:
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
|
|
Django 2.2.9 fixes a security issue and a data loss bug in 2.2.8.
CVE-2019-19844: Potential account hijack via password reset form
By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.
In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.
Bugfixes
* Fixed a data loss possibility in SplitArrayField. When using with ArrayField(BooleanField()), all values after the first True value were marked as checked instead of preserving passed values
|
|
2.2.8:
* CVE-2019-19118: Privilege escalation in the Django admin.
* Fixed a data loss possibility in the admin changelist view when a custom formset’s prefix contains regular expression special characters, e.g. ‘$’.
* Fixed a regression in Django 2.2.1 that caused a crash when migrating permissions for proxy models with a multiple database setup if the default entry was empty.
* Fixed a data loss possibility in the select_for_update(). When using 'self' in the of argument with multi-table inheritance, a parent model was locked instead of the queryset’s model
|
|
Django 2.2.7:
Fixed a crash when using a contains, contained_by, has_key, has_keys, or has_any_keys lookup on JSONField, if the right or left hand side of an expression is a key transform.
Prevented migrate --plan from showing that RunPython operations are irreversible when reverse_code callables don’t have docstrings or when showing a forward migration plan.
Fixed migrations crash on PostgreSQL when adding an Index with fields ordering and opclasses.
Restored the ability to override get_FOO_display().
|
|
Django 2.2.6:
Fixed migrations crash on SQLite when altering a model containing partial indexes.
Fixed a regression in Django 2.2.4 that caused a crash when filtering with a Subquery() annotation of a queryset containing JSONField or HStoreField.
|
|
Django 2.2.5 fixes several bugs in 2.2.4.
Bugfixes
Relaxed the system check added in Django 2.2 for models to reallow use of the same db_table by multiple models when database routers are installed.
Fixed crash of KeyTransform() for JSONField and HStoreField when using on expressions with params.
Fixed a regression in Django 2.2 where ModelAdmin.list_filter choices to foreign objects don’t respect a model’s Meta.ordering.
Fixed a race condition in loading URLconf module that could cause a crash of auto-reloader on Python 3.5 and below
|
|
Django 2.2.4:
* CVE-2019-14232: Denial-of-service possibility in django.utils.text.Truncator
* CVE-2019-14233: Denial-of-service possibility in strip_tags()
* CVE-2019-14234: SQL injection possibility in key and index lookups for JSONField/HStoreField
* CVE-2019-14235: Potential memory exhaustion in django.utils.encoding.uri_to_iri()
* Fixed a regression in Django 2.2 when ordering a QuerySet.union(), intersection(), or difference() by a field type present more than once results in the wrong ordering being used
* Fixed a migration crash on PostgreSQL when adding a check constraint with a contains lookup on DateRangeField or DateTimeRangeField, if the right hand side of an expression is the same type
* Fixed a regression in Django 2.2 where auto-reloader crashes if a file path contains nulls characters ('\x00')
* Fixed a regression in Django 2.2 where auto-reloader crashes if a translation directory cannot be resolved
|
|
Django 2.2.3
Fix CVE-2019-12781: Incorrect HTTP detection with reverse-proxy connecting via HTTPS
Fixed a regression in Django 2.2 where Avg, StdDev, and Variance crash with filter argument
Fixed a regression in Django 2.2.2 where auto-reloader crashes with AttributeError, e.g. when using ipdb
|
|
2.2.2:
CVE-2019-12308: AdminURLFieldWidget XSS
The clickable "Current URL" link generated by AdminURLFieldWidget displayed the provided value without validating it as a safe URL. Thus, an unvalidated value stored in the database, or a value provided as a URL query parameter payload, could result in an clickable JavaScript link.
AdminURLFieldWidget now validates the provided value using URLValidator before displaying the clickable link. You may customise the validator by passing a validator_class kwarg to AdminURLFieldWidget.__init__(), e.g. when using ModelAdmin.formfield_overrides.
2.2.1:
Bugfixes
Fixed a regression in Django 2.1 that caused the incorrect quoting of database user password when using dbshell on Oracle
Added compatibility for psycopg2 2.8
Fixed a regression in Django 2.2 that caused a crash when loading the template for the technical 500 debug page
Fixed crash of ordering argument in ArrayAgg and StringAgg when it contains an expression with params
Fixed a regression in Django 2.2 that caused a single instance fast-delete to not set the primary key to None
Prevented makemigrations from generating infinite migrations for check constraints and partial indexes when condition contains a range object
Reverted an optimization in Django 2.2
Fixed a regression in Django 2.2 where Paginator crashes if object_list is a queryset ordered or aggregated over a nested JSONField key transform
Fixed a regression in Django 2.2 where IntegerField validation of database limits crashes if limit_value attribute in a custom validator is callable
Fixed a regression in Django 2.2 where SearchVector generates SQL that is not indexable
Fixed a regression in Django 2.2 that caused an exception to be raised when a custom error handler could not be imported
Relaxed the system check added in Django 2.2 for the admin app’s dependencies to reallow use of SessionMiddleware subclasses, rather than requiring django.contrib.sessions to be in INSTALLED_APPS
Increased the default timeout when using Watchman to 5 seconds to prevent falling back to StatReloader on larger projects and made it customizable via the DJANGO_WATCHMAN_TIMEOUT environment variable
Fixed a regression in Django 2.2 that caused a crash when migrating permissions for proxy models if the target permissions already existed. For example, when a permission had been created manually or a model had been migrated from concrete to proxy
Fixed a regression in Django 2.2 that caused a crash of runserver when URLConf modules raised exceptions
Fixed a regression in Django 2.2 where changes were not reliably detected by auto-reloader when using StatReloader
Fixed a migration crash on Oracle and PostgreSQL when adding a check constraint with a contains, startswith, or endswith lookup (or their case-insensitive variant)
Fixed a migration crash on Oracle and SQLite when adding a check constraint with condition contains | (OR) operator
Django 2.2.2 release notesDjango 2.2 release notes
2.2:
This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2019.
As always, the release notes cover the salmagundi of new features in detail, but a few highlights are:
* HttpRequest.headers to allow simple access to a request’s headers.
* Database-level constraints on models.
* Watchman compatibility for runserver to improve the performance of watching a large number of files for changes.
|
|
2.1.8:
Bugfixes
Prevented admin inlines for a ManyToManyField’s implicit through model from being editable if the user only has the view permission
|
|
- Includes some whitespace changes, to be handled in a separate commit.
|
|
2.1.7:
Bugfixes
Corrected packaging error from 2.1.6
2.1.6:
CVE-2019-6975: Memory exhaustion in django.utils.numberformat.format()¶
If django.utils.numberformat.format() – used by contrib.admin as well as the the floatformat, filesizeformat, and intcomma templates filters – received a Decimal with a large number of digits or a large exponent, it could lead to significant memory usage due to a call to '{:f}'.format().
To avoid this, decimals with more than 200 digits are now formatted using scientific notation.
Bugfixes
Made the obj argument of InlineModelAdmin.has_add_permission() optional to restore backwards compatibility with third-party code that doesn’t provide it
|
|
Django 2.1.5 fixes a security issue and several bugs in 2.1.4.
CVE-2019-3498: Content spoofing possibility in the default 404 page
Bugfixes:
Fixed compatibility with mysqlclient 1.3.14.
Fixed a schema corruption issue on SQLite 3.26+. You might have to drop and rebuild your SQLite database if you applied a migration while using an older version of Django with SQLite 3.26 or later.
Prevented SQLite schema alterations while foreign key checks are enabled to avoid the possibility of schema corruption.
Fixed a regression in Django 2.1.4 (which enabled keep-alive connections) where request body data isn’t properly consumed for such connections.
Fixed a regression in Django 2.1.4 where InlineModelAdmin.has_change_permission() is incorrectly called with a non-None obj argument during an object add
|
|
Django 2.1.4 fixes several bugs in 2.1.3.
Bugfixes:
Corrected the default password list that CommonPasswordValidator uses by lowercasing all passwords to match the format expected by the validator.
Prevented repetitive calls to geos_version_tuple() in the WKBWriter class in an attempt to fix a random crash involving LooseVersion.
Fixed keep-alive support in runserver after it was disabled to fix another issue in Django 2.0.
Fixed admin view-only change form crash when using ModelAdmin.prepopulated_fields.
|
|
Django 2.1.3
Bugfixes:
Fixed a regression in Django 2.0 where combining Q objects with __in lookups and lists crashed
Fixed a regression in Django 1.11 where django-admin shell may hang on startup
Fixed a regression in Django 2.0 where test databases aren’t reused with manage.py test --keepdb on MySQL
Fixed a regression where cached foreign keys that use to_field were incorrectly cleared in Model.save()
Fixed a regression in Django 2.0 where FileSystemStorage crashes with FileExistsError if concurrent saves try to create the same directory
|
|
Django 2.1.2:
CVE-2018-16984: Password hash disclosure to “view only” admin users
Fixed a regression where nonexistent joins in F() no longer raised FieldError
Fixed a regression where files starting with a tilde or underscore weren’t ignored by the migrations loader
Made migrations detect changes to Meta.default_related_name
Added compatibility for cx_Oracle 7
Fixed a regression in Django 2.0 where unique index names weren’t quoted
Fixed a regression where sliced queries with multiple columns with the same name crashed on Oracle 12.1
Fixed a crash when a user with the view (but not change) permission made a POST request to an admin user change form
|
|
|
|
2.1.1:
Bugfixes
Fixed a race condition in QuerySet.update_or_create() that could result in data loss
Fixed a regression where QueryDict.urlencode() crashed if the dictionary contains a non-string value
Fixed a regression in Django 2.0 where using manage.py test --keepdb fails on PostgreSQL if the database exists and the user doesn’t have permission to create databases
Fixed a regression in Django 2.0 where combining Q objects with __in lookups and lists crashed
Fixed translation failure of DurationField’s “overflow” error message
Fixed a regression where the admin change form crashed if the user doesn’t have the ‘add’ permission to a model that uses TabularInline
Fixed a regression where a related_query_name reverse accessor wasn’t set up when a GenericRelation is declared on an abstract base model
Fixed the test client’s JSON serialization of a request data dictionary for structured content type suffixes
Made the admin change view redirect to the changelist view after a POST if the user has the ‘view’ permission
Fixed admin change view crash for view-only users if the form has an extra form field
Fixed a regression in Django 2.0.5 where QuerySet.values() or values_list() after combining querysets with extra() with union(), difference(), or intersection() crashed due to mismatching columns
Fixed crash if InlineModelAdmin.has_add_permission() doesn’t accept the obj argument
|
|
2.1:
Model “view” permission
django.contrib.admin
ModelAdmin.search_fields now accepts any lookup such as field__exact.
jQuery is upgraded from version 2.2.3 to 3.3.1.
The new ModelAdmin.delete_queryset() method allows customizing the deletion process of the “delete selected objects” action.
You can now override the default admin site.
The new ModelAdmin.sortable_by attribute and ModelAdmin.get_sortable_by() method allow limiting the columns that can be sorted in the change list page.
The admin_order_field attribute for elements in ModelAdmin.list_display may now be a query expression.
The new ModelAdmin.get_deleted_objects() method allows customizing the deletion process of the delete view and the “delete selected” action.
The actions.html, change_list_results.html, date_hierarchy.html, pagination.html, prepopulated_fields_js.html, search_form.html, and submit_line.html templates can now be overridden per app or per model (besides overridden globally).
The admin change list and change form object tools can now be overridden per app, per model, or globally with change_list_object_tools.html and change_form_object_tools.html templates.
InlineModelAdmin.has_add_permission() is now passed the parent object as the second positional argument, obj.
Admin actions may now specify permissions to limit their availability to certain users.
django.contrib.auth
createsuperuser now gives a prompt to allow bypassing the AUTH_PASSWORD_VALIDATORS checks.
UserCreationForm and UserChangeForm no longer need to be rewritten for a custom user model.
django.contrib.gis
The new GEOSGeometry.buffer_with_style() method is a version of buffer() that allows customizing the style of the buffer.
OpenLayersWidget is now based on OpenLayers 4.6.5 (previously 3.20.1).
django.contrib.sessions
Added the SESSION_COOKIE_SAMESITE setting to set the SameSite cookie flag on session cookies.
Cache
The local-memory cache backend now uses a least-recently-used (LRU) culling strategy rather than a pseudo-random one.
The new touch() method of the low-level cache API updates the timeout of cache keys.
CSRF
Added the CSRF_COOKIE_SAMESITE setting to set the SameSite cookie flag on CSRF cookies.
Forms
The widget for ImageField now renders with the HTML attribute accept="image/*".
Internationalization
Added the get_supported_language_variant() function.
Untranslated strings for territorial language variants now use the translations of the generic language. For example, untranslated pt_BR strings use pt translations.
Management Commands
The new inspectdb --include-views option allows creating models for database views.
The BaseCommand class now uses a custom help formatter so that the standard options like --verbosity or --settings appear last in the help output, giving a more prominent position to subclassed command’s options.
Migrations
Added support for serialization of functools.partialmethod objects.
To support frozen environments, migrations may be loaded from .pyc files.
Models
Models can now use __init_subclass__() from PEP 487.
A BinaryField may now be set to editable=True if you wish to include it in model forms.
A number of new text database functions are added: Chr, Left, LPad, LTrim, Ord, Repeat, Replace, Right, RPad, RTrim, and Trim.
The new TruncWeek function truncates DateField and DateTimeField to the Monday of a week.
Query expressions can now be negated using a minus sign.
QuerySet.order_by() and distinct(*fields) now support using field transforms.
BooleanField can now be null=True. This is encouraged instead of NullBooleanField, which will likely be deprecated in the future.
The new QuerySet.explain() method displays the database’s execution plan of a queryset’s query.
QuerySet.raw() now supports prefetch_related().
Requests and Responses
Added HttpRequest.get_full_path_info().
Added the samesite argument to HttpResponse.set_cookie() to allow setting the SameSite cookie flag.
The new as_attachment argument for FileResponse sets the Content-Disposition header to make the browser ask if the user wants to download the file. FileResponse also tries to set the Content-Type and Content-Length headers where appropriate.
Templates
The new json_script filter safely outputs a Python object as JSON, wrapped in a <script> tag, ready for use with JavaScript.
|
|
Django 2.0.7:
Bugfixes
Fixed admin changelist crash when using a query expression without asc() or desc() in the page’s ordering.
Fixed admin check crash when using a query expression in ModelAdmin.ordering.
Fixed __regex and __iregex lookups with MySQL 8.
Fixed migrations crash with namespace packages on Python 3.7
|
|
2.0.6:
Bugfixes
* Fixed a regression that broke custom template filters that use decorators
* Fixed detection of custom URL converters in included patterns
* Fixed a regression that added an unnecessary subquery to the GROUP BY
clause on MySQL when using a RawSQL annotation.
* Fixed WKBWriter.write() and write_hex() for empty polygons on
GEOS 3.6.1+.
* Fixed a regression in Django 1.10 that could result in large memory usage
when making edits using ModelAdmin.list_editable
|
|
2.0.5:
Bugfixes
* Corrected the import paths that inspectdb generates for django.contrib.postgres fields.
* Fixed a regression in Django 1.11.8 where altering a field with a unique constraint may drop and rebuild more foreign keys than necessary.
* Fixed crashes in django.contrib.admindocs when a view is a callable object, such as django.contrib.syndication.views.Feed.
* Fixed a regression in Django 1.11.12 where QuerySet.values() or values_list() after combining an annotated and unannotated queryset with union(), difference(), or intersection() crashed due to mismatching columns
|
|
Django 2.0.4:
Bugfixes:
Fixed a crash when filtering with an Exists() annotation of a queryset containing a single field.
Fixed admin autocomplete widget’s translations for zh-hans and zh-hant languages.
Corrected admin’s autocomplete widget to add a space after custom classes.
Fixed PasswordResetConfirmView crash when using a user model with a UUIDField primary key and the reset URL contains an encoded primary key value that decodes to an invalid UUID.
Fixed a regression in Django 1.11.8 where combining two annotated values_list() querysets with union(), difference(), or intersection() crashed due to mismatching columns.
Fixed a regression in Django 1.11 where an empty choice could be initially selected for the SelectMultiple and CheckboxSelectMultiple widgets.
Fixed a regression in Django 2.0 where OpenLayersWidget deserialization ignored the widget map’s SRID and assumed 4326
|
|
2.0.3:
CVE-2018-7536: Denial-of-service possibility in urlize and urlizetrunc template filters
CVE-2018-7537: Denial-of-service possibility in truncatechars_html and truncatewords_html template filters
Bugfixes
|
|
Django is a high-level Python Web framework that encourages rapid development
and clean, pragmatic design. Django was designed to make common Web-development
tasks fast and easy.
|
