August 18, 2015
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
logout()
view by filling session store¶Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout()
view (provided it wasn’t decorated
with login_required()
as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users’ session records to be evicted.
The SessionMiddleware
has been
modified to no longer create empty session records, including when
SESSION_SAVE_EVERY_REQUEST
is active.
UUIDField
(#25019).TEMPLATE_*
settings are defined
in addition to the new TEMPLATES
setting.QuerySet.raw()
so InvalidQuery
is not raised when using the
db_column
name of a ForeignKey
field with primary_key=True
(#12768).TestCase.setUpTestData()
from leaking the
transaction (#25176).has_changed()
method in contrib.postgres.forms.HStoreField
(#25215, #25233).migrate
command (#25231).Model.save()
to allow easier usage
of in-memory models (#25160).varchar_patterns_ops
and text_patterns_ops
indexes for
ArrayField
(#25180).Jun 22, 2017