mirror of
				https://github.com/django/django.git
				synced 2025-10-26 07:06:08 +00:00 
			
		
		
		
	git-svn-id: http://code.djangoproject.com/svn/django/trunk@15485 bcc190cf-cafb-0310-a4f2-bffc1f526a37
		
			
				
	
	
		
			51 lines
		
	
	
		
			2.2 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			51 lines
		
	
	
		
			2.2 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| ==========================
 | |
| Django 1.1.3 release notes
 | |
| ==========================
 | |
| 
 | |
| Welcome to Django 1.1.3!
 | |
| 
 | |
| This is the third "bugfix" release in the Django 1.1 series,
 | |
| improving the stability and performance of the Django 1.1 codebase.
 | |
| 
 | |
| With one exception, Django 1.1.3 maintains backwards compatibility
 | |
| with Django 1.1.2. It also contains a number of fixes and other
 | |
| improvements. Django 1.1.2 is a recommended upgrade for any
 | |
| development or deployment currently using or targeting Django 1.1.
 | |
| 
 | |
| For full details on the new features, backwards incompatibilities, and
 | |
| deprecated features in the 1.1 branch, see the :doc:`/releases/1.1`.
 | |
| 
 | |
| Backwards incompatible changes
 | |
| ==============================
 | |
| 
 | |
| Restricted filters in admin interface
 | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 | |
| 
 | |
| The Django administrative interface, django.contrib.admin, supports
 | |
| filtering of displayed lists of objects by fields on the corresponding
 | |
| models, including across database-level relationships. This is
 | |
| implemented by passing lookup arguments in the querystring portion of
 | |
| the URL, and options on the ModelAdmin class allow developers to
 | |
| specify particular fields or relationships which will generate
 | |
| automatic links for filtering.
 | |
| 
 | |
| One historically-undocumented and -unofficially-supported feature has
 | |
| been the ability for a user with sufficient knowledge of a model's
 | |
| structure and the format of these lookup arguments to invent useful
 | |
| new filters on the fly by manipulating the querystring.
 | |
| 
 | |
| However, it has been demonstrated that this can be abused to gain
 | |
| access to information outside of an admin user's permissions; for
 | |
| example, an attacker with access to the admin and sufficient knowledge
 | |
| of model structure and relations could construct query strings which --
 | |
| with repeated use of regular-expression lookups supported by the
 | |
| Django database API -- expose sensitive information such as users'
 | |
| password hashes.
 | |
| 
 | |
| To remedy this, django.contrib.admin will now validate that
 | |
| querystring lookup arguments either specify only fields on the model
 | |
| being viewed, or cross relations which have been explicitly
 | |
| whitelisted by the application developer using the pre-existing
 | |
| mechanism mentioned above. This is backwards-incompatible for any
 | |
| users relying on the prior ability to insert arbitrary lookups.
 |