November 24, 2015
Django 1.8.7 memperbaiki masalah keamanan dan beberapa kesalahan di 1.8.6.
Tambahannya, Versi penjaja Django dari enam, django.utils.six
, telah ditingkatkan ke terbitan terakhir (1.10.0).
date
template filter¶If an application allows users to specify an unvalidated format for dates and
passes this format to the date
filter, e.g.
{{ last_updated|date:user_date_format }}
, then a malicious user could
obtain any secret in the application’s settings by specifying a settings key
instead of a date format. e.g. "SECRET_KEY"
instead of "j/m/Y"
.
To remedy this, the underlying function used by the date
template filter,
django.utils.formats.get_format()
, now only allows accessing the date/time
formatting settings.
USE_TZ
is False
and pytz
is installed.allow_migrate()
method to crash (#25686).Manager
objects for the queryset
argument of ModelChoiceField
(#25683).migrations
directory to fail (#25618).Prefetch
if
to_attr
is set to a ManyToManyField
(#25693).gettext()
once again return UTF-8
bytestrings on Python 2 if the input is a bytestring (#25720).DateRangeField
and
DateTimeRangeField
(#24937).ArrayField
(#25666).Model.refresh_from_db()
updating of ForeignKey
fields with
on_delete=models.SET_NULL
(#25715).set_FOO_order()
crash when the ForeignKey
of a model with
order_with_respect_to
references a model with a OneToOneField
primary key (#25786).PositiveIntegerField
and
PositiveSmallIntegerField
on MySQL resulting in values greater than
4294967295 or 65535, respectively, passing validation and being silently
truncated by the database (#25767).Agt 01, 2016