August 13, 2013
This is Django 1.5.2, a bugfix and security release for Django 1.5.
Django relies on user input in some cases (e.g.
django.contrib.auth.views.login(), django.contrib.comments, and
i18n) to redirect the user to an “on success” URL.
The security checks for these redirects (namely
django.utils.http.is_safe_url()) didn’t check if the scheme is http(s)
and as such allowed javascript:... URLs to be entered. If a developer
relied on is_safe_url() to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn’t affect
Django currently, since we only put this URL into the Location response
header and browsers seem to ignore JavaScript there.
django.contrib.admin¶If a URLField is used in Django 1.5, it displays the
current value of the field and a link to the target on the admin change page.
The display routine of this widget was flawed and allowed for XSS.
prefetch_related()
(#19607) as well as some pickle regressions with prefetch_related
(#20157 and #20257).django.contrib.gis in the Google Map output on
Python 3 (#20773).DjangoTestSuiteRunner.setup_databases properly handle aliases for
the default database (#19940) and prevented teardown_databases from
attempting to tear down aliases (#20681).django.core.cache.backends.memcached.MemcachedCache backend’s
get_many() method on Python 3 (#20722).django.contrib.humanize translation syntax errors. Affected
languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).get()
exceptions recursed infinitely (#20278).makemessages no longer crashes with UnicodeDecodeError
(#20354).geojson detection with SpatiaLite.assertContains() once again works with
binary content (#20237).ManyToManyField if it has a unicode name
parameter (#20207).SCRIPT_NAME environment variable or the FORCE_SCRIPT_NAME
setting, regardless of whether or not either has a trailing slash (#20169).override_settings()
decorator. If you hit an AttributeError: 'Settings' object has no attribute
'_original_allowed_hosts' exception, it’s probably fixed (#20636).ago 01, 2018