August 18, 2015
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
Denial-of-service possibility in logout()
view by filling session store
Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout()
view (provided it wasn't decorated
with login_required()
as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.
The SessionMiddleware
has been
modified to no longer create empty session records, including when
SESSION_SAVE_EVERY_REQUEST
is active.
漏洞修复
- Added the ability to serialize values from the newly added
UUIDField
(#25019). - Added a system check warning if the old
TEMPLATE_*
settings are defined in addition to the newTEMPLATES
setting. - Fixed
QuerySet.raw()
soInvalidQuery
is not raised when using thedb_column
name of aForeignKey
field withprimary_key=True
(#12768). - Prevented an exception in
TestCase.setUpTestData()
from leaking the transaction (#25176). - Fixed
has_changed()
method incontrib.postgres.forms.HStoreField
(#25215, #25233). - Fixed the recording of squashed migrations when running the
migrate
command (#25231). - Moved the unsaved model instance assignment data loss check to
Model.save()
to allow easier usage of in-memory models (#25160). - Prevented
varchar_patterns_ops
andtext_patterns_ops
indexes forArrayField
(#25180).
讨论区