2017-03-07 13:05:35 -05:00
|
|
|
===========================
|
|
|
|
|
Django 1.10.7 release notes
|
|
|
|
|
===========================
|
|
|
|
|
|
2017-03-22 11:47:45 -04:00
|
|
|
*April 4, 2017*
|
2017-03-07 13:05:35 -05:00
|
|
|
|
2017-03-22 11:47:45 -04:00
|
|
|
Django 1.10.7 fixes two security issues and a bug in 1.10.6.
|
2017-03-07 13:05:35 -05:00
|
|
|
|
2017-03-14 12:33:15 -04:00
|
|
|
CVE-2017-7234: Open redirect vulnerability in ``django.views.static.serve()``
|
|
|
|
|
=============================================================================
|
|
|
|
|
|
|
|
|
|
A maliciously crafted URL to a Django site using the
|
|
|
|
|
:func:`~django.views.static.serve` view could redirect to any other domain. The
|
|
|
|
|
view no longer does any redirects as they don't provide any known, useful
|
|
|
|
|
functionality.
|
|
|
|
|
|
|
|
|
|
Note, however, that this view has always carried a warning that it is not
|
|
|
|
|
hardened for production use and should be used only as a development aid.
|
|
|
|
|
|
2017-03-07 13:05:35 -05:00
|
|
|
Bugfixes
|
|
|
|
|
========
|
|
|
|
|
|
2017-03-08 03:56:29 +09:00
|
|
|
* Made admin's ``RelatedFieldWidgetWrapper`` use the wrapped widget's
|
|
|
|
|
``value_omitted_from_data()`` method (:ticket:`27905`).
|
2017-03-31 07:10:08 -07:00
|
|
|
|
|
|
|
|
* Fixed model form ``default`` fallback for ``SelectMultiple``
|
|
|
|
|
(:ticket:`27993`).
|
