Django 1.5.2/1.4.6 发布

fei
 fei
发布于 2013年08月30日
收藏 11

Django 项目是一个定制框架,它源自一个在线新闻 Web 站点,于 2005 年以开源的形式被释放出来。Django 框架的核心组件有:

  • 用于创建模型的对象关系映射
  • 为最终用户设计的完美管理界面
  • 一流的 URL 设计
  • 设计者友好的模板语言
  • 缓存系统

Django 1.5.2/1.4.6发布。2013-08-14 上个版本是2013-03-28的1.5.1,需要Python 2.6.5以上版本,也支持了Python 3.修复1.5 版本中的一些问题。主要是修复2个XSS的安全漏洞。开发版1.6B2

发布声明:

Django 1.5.2 release notes

August 13, 2013

This is Django 1.5.2, a bugfix and security release for Django 1.5.

 

Mitigated possible XSS attack via user-supplied redirect URLs

Django relies on user input in some cases (e.g. django.contrib.auth.views.login(), django.contrib.comments, and i18n) to redirect the user to an “on success” URL. The security checks for these redirects (namelydjango.util.http.is_safe_url()) didn’t check if the scheme ishttp(s)and as such allowedjavascript:...URLs to be entered. If a developer relied onis_safe_url()to provide safe redirect targets and put such a URL into a link, he could suffer from a XSS attack. This bug doesn’t affect Django currently, since we only put this URL into theLocationresponse header and browsers seem to ignore JavaScript there.

XSS vulnerability in django.contrib.admin

If a URLField is used in Django 1.5, it displays the current value of the field and a link to the target on the admin change page. The display routine of this widget was flawed and allowed for XSS.

Bugfixes

  • Fixed a crash with prefetch_related() (#19607) as well as somepickleregressions withprefetch_related(#20157 and #20257).
  • Fixed a regression in django.contrib.gis in the Google Map output on Python 3 (#20773).
  • MadeDjangoTestSuiteRunner.setup_databasesproperly handle aliases for the default database (#19940) and preventedteardown_databasesfrom attempting to tear down aliases (#20681).
  • Fixed thedjango.core.cache.backends.memcached.MemcachedCachebackend’sget_many()method on Python 3 (#20722).
  • Fixed django.contrib.humanize translation syntax errors. Affected languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).
  • Added support for wheel packages (#19252).
  • The CSRF token now rotates when a user logs in.
  • Some Python 3 compatibility fixes including #20212 and #20025.
  • Fixed some rare cases where get() exceptions recursed infinitely (#20278).
  • makemessages no longer crashes withUnicodeDecodeError(#20354).
  • Fixedgeojsondetection with Spatialite.
  • assertContains() once again works with binary content (#20237).
  • Fixed ManyToManyField if it has a unicodenameparameter (#20207).
  • Ensured that the WSGI request’s path is correctly based on theSCRIPT_NAMEenvironment variable or the FORCE_SCRIPT_NAME setting, regardless of whether or not either has a trailing slash (#20169).
  • Fixed an obscure bug with the override_settings() decorator. If you hit anAttributeError: 'Settings' object has no attribute '_original_allowed_hosts'exception, it’s probably fixed (#20636).
下载:https://www.djangoproject.com/m/releases/1.5/Django-1.5.2.tar.gz

 

https://www.djangoproject.com/m/releases/1.4/Django-1.4.6.tar.gz

本站文章除注明转载外,均为本站原创或编译。欢迎任何形式的转载,但请务必注明出处,尊重他人劳动共创开源社区。
转载请注明:文章转载自 OSCHINA 社区 [http://www.oschina.net]
本文标题:Django 1.5.2/1.4.6 发布
加载中

最新评论(12

ZackLee
ZackLee
很不错
雪候鸟
雪候鸟
是呀,穿越了吗?
ifsc01
ifsc01
我是从django转向rails的。说实话还是rails牛逼
不是胖子
不是胖子

引用来自“FeiFan”的评论

13號的東西.. 今天都30了

最近编辑反映有点慢
FeiFan
FeiFan
13號的東西.. 今天都30了
铂金大雕
铂金大雕
The CSRF token now rotates when a user logs in.
Archer_小A
Archer_小A

引用来自“gaicitadie”的评论

Django在几年前就已经成熟,不需要银弹来亮瞎谁的眼。Django有些复杂,但是并不是所有知识点都需要掌握,只掌握最基本的就可以了。Django虽然在互联网创业公司用的不多,但在企业软件有一席之地。

另外,python社区低调,跟python语言的风格有关,大道至简,不喜欢工作之外的宣泄,但不要以为python社区弱小

+1
ntsai
ntsai
已用django开发2年。非常好,比rails好管理
gaicitadie
gaicitadie
Django在几年前就已经成熟,不需要银弹来亮瞎谁的眼。Django有些复杂,但是并不是所有知识点都需要掌握,只掌握最基本的就可以了。Django虽然在互联网创业公司用的不多,但在企业软件有一席之地。

另外,python社区低调,跟python语言的风格有关,大道至简,不喜欢工作之外的宣泄,但不要以为python社区弱小
MyPy
MyPy
正在学习中
返回顶部
顶部