File: 2.0.8.txt

package info (click to toggle)
python-django 3%3A3.2.19-1%2Bdeb12u2
  • links: PTS, VCS
  • area: main
  • in suites: bookworm-proposed-updates
  • size: 56,696 kB
  • sloc: python: 264,418; javascript: 18,362; xml: 193; makefile: 178; sh: 43
file content (29 lines) | stat: -rw-r--r-- 1,071 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
==========================
Django 2.0.8 release notes
==========================

*August 1, 2018*

Django 2.0.8 fixes a security issue and several bugs in 2.0.7.

CVE-2018-14574: Open redirect possibility in ``CommonMiddleware``
=================================================================

If the :class:`~django.middleware.common.CommonMiddleware` and the
:setting:`APPEND_SLASH` setting are both enabled, and if the project has a
URL pattern that accepts any path ending in a slash (many content management
systems have such a pattern), then a request to a maliciously crafted URL of
that site could lead to a redirect to another site, enabling phishing and other
attacks.

``CommonMiddleware`` now escapes leading slashes to prevent redirects to other
domains.

Bugfixes
========

* Fixed a regression in Django 2.0.7 that broke the ``regex`` lookup on MariaDB
  (even though MariaDB isn't officially supported) (:ticket:`29544`).

* Fixed a regression where ``django.template.Template`` crashed if the
  ``template_string`` argument is lazy (:ticket:`29617`).