Django 1.5.2/1.4.6·¢²¼

Django ÏîÄ¿ÊÇÒ»¸ö¶¨ÖÆ¿ò¼Ü£¬ËüÔ´×ÔÒ»¸öÔÚÏßÐÂÎÅ Web Õ¾µã£¬ÓÚ 2005 ÄêÒÔ¿ªÔ´µÄÐÎʽ±»ÊͷųöÀ´¡£Django ¿ò¼ÜµÄºËÐÄ×é¼þÓУº

ÓÃÓÚ´´½¨Ä£Ð͵ĶÔÏó¹ØϵӳÉä
Ϊ×îÖÕÓû§Éè¼ÆµÄÍêÃÀ¹ÜÀí½çÃæ
Ò»Á÷µÄ URL Éè¼Æ
Éè¼ÆÕßÓѺõÄÄ£°åÓïÑÔ
»º´æϵͳ

Django 1.5.2/1.4.6·¢²¼¡£2013-08-14 Éϸö°æ±¾ÊÇ2013-03-28µÄ1.5.1,ÐèÒªPython 2.6.5ÒÔÉÏ°æ±¾£¬Ò²Ö§³ÖÁËPython 3.ÐÞ¸´1.5 °æ±¾ÖеÄһЩÎÊÌâ¡£Ö÷ÒªÊÇÐÞ¸´2¸öXSSµÄ°²È«Â©¶´¡£¿ª·¢°æ1.6B2

·¢²¼ÉùÃ÷£º

Django 1.5.2 release notes
August 13, 2013

This is Django 1.5.2, a bugfix and security release for Django 1.5.

Mitigated possible XSS attack via user-supplied redirect URLs
Django relies on user input in some cases (e.g. django.contrib.auth.views.login(), django.contrib.comments, and i18n) to redirect the user to an ¡°on success¡± URL. The security checks for these redirects (namelydjango.util.http.is_safe_url()) didn¡¯t check if the scheme ishttp(s)and as such allowedjavascript:...URLs to be entered. If a developer relied onis_safe_url()to provide safe redirect targets and put such a URL into a link, he could suffer from a XSS attack. This bug doesn¡¯t affect Django currently, since we only put this URL into theLocationresponse header and browsers seem to ignore JavaScript there.

XSS vulnerability in django.contrib.admin
If a URLField is used in Django 1.5, it displays the current value of the field and a link to the target on the admin change page. The display routine of this widget was flawed and allowed for XSS.

Bugfixes
Fixed a crash with prefetch_related() (#19607) as well as somepickleregressions withprefetch_related(#20157 and #20257).
Fixed a regression in django.contrib.gis in the Google Map output on Python 3 (#20773).
MadeDjangoTestSuiteRunner.setup_databasesproperly handle aliases for the default database (#19940) and preventedteardown_databasesfrom attempting to tear down aliases (#20681).
Fixed thedjango.core.cache.backends.memcached.MemcachedCachebackend¡¯sget_many()method on Python 3 (#20722).
Fixed django.contrib.humanize translation syntax errors. Affected languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).
Added support for wheel packages (#19252).
The CSRF token now rotates when a user logs in.
Some Python 3 compatibility fixes including #20212 and #20025.
Fixed some rare cases where get() exceptions recursed infinitely (#20278).
makemessages no longer crashes withUnicodeDecodeError(#20354).
Fixedgeojsondetection with Spatialite.
assertContains() once again works with binary content (#20237).
Fixed ManyToManyField if it has a unicodenameparameter (#20207).
Ensured that the WSGI request¡¯s path is correctly based on theSCRIPT_NAMEenvironment variable or the FORCE_SCRIPT_NAME setting, regardless of whether or not either has a trailing slash (#20169).
Fixed an obscure bug with the override_settings() decorator. If you hit anAttributeError: 'Settings' object has no attribute '_original_allowed_hosts'exception, it¡¯s probably fixed (#20636).

ÏÂÔØ£ºhttps://www.djangoproject.com/m/releases/1.5/Django-1.5.2.tar.gz

https://www.djangoproject.com/m/releases/1.4/Django-1.4.6.tar.gz

À´×Ô:¿ªÔ´ÖйúÉçÇø