[Python-modules-commits] [python-django] 01/07: Import python-django_1.8.16.orig.tar.gz
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Nov 8 13:18:54 UTC 2016
This is an automated email from the git hooks/post-receive script.
hertzog pushed a commit to branch debian/jessie-backports
in repository python-django.
commit 9bea6eba2d4c60c9a467172e687aafe47dd8f436
Author: Raphaël Hertzog <hertzog at debian.org>
Date: Tue Nov 8 13:55:25 2016 +0100
Import python-django_1.8.16.orig.tar.gz
---
.gitattributes | 5 +
.gitignore | 13 +
.hgignore | 15 +
.tx/config | 73 ++++
CONTRIBUTING.rst | 26 ++
Django.egg-info/PKG-INFO | 2 +-
Django.egg-info/SOURCES.txt | 9 +
PKG-INFO | 2 +-
django/__init__.py | 2 +-
django/contrib/admin/bin/compress.py | 53 +++
django/contrib/sitemaps/tests/test_flatpages.py | 62 +++
django/db/backends/oracle/creation.py | 16 +-
django/http/request.py | 9 +-
docs/_ext/cve_role.py | 27 ++
docs/conf.py | 4 +-
docs/ref/contrib/sitemaps.txt | 5 +-
docs/ref/models/querysets.txt | 12 +-
docs/ref/settings.txt | 16 +-
docs/releases/1.8.16.txt | 43 ++
docs/releases/1.8.txt | 2 +-
docs/releases/index.txt | 1 +
docs/releases/security.txt | 556 +++++++++++++-----------
tests/gis_tests/test_geoip.py | 10 +-
tests/requests/tests.py | 29 +-
24 files changed, 691 insertions(+), 301 deletions(-)
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..cd42cc5
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,5 @@
+# Normalize line endings to avoid spurious failures in the core test suite on Windows.
+*html text eol=lf
+*css text eol=lf
+tests/staticfiles_tests/apps/test/static/test/*txt text eol=lf
+tests/staticfiles_tests/project/documents/test/*txt text eol=lf
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..504361b
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,13 @@
+*.egg-info
+*.pot
+*.py[co]
+__pycache__
+MANIFEST
+dist/
+docs/_build/
+docs/locale/
+node_modules/
+tests/coverage_html/
+tests/.coverage
+build/
+tests/report/
diff --git a/.hgignore b/.hgignore
new file mode 100644
index 0000000..8c900d5
--- /dev/null
+++ b/.hgignore
@@ -0,0 +1,15 @@
+syntax:glob
+
+*.egg-info
+*.pot
+*.py[co]
+__pycache__
+MANIFEST
+dist/
+docs/_build/
+docs/locale/
+node_modules/
+tests/coverage_html/
+tests/.coverage
+build/
+tests/report/
diff --git a/.tx/config b/.tx/config
new file mode 100644
index 0000000..44f8a7e
--- /dev/null
+++ b/.tx/config
@@ -0,0 +1,73 @@
+[main]
+host = https://www.transifex.com
+lang_map = sr at latin:sr_Latn, zh_CN:zh_Hans, zh_TW:zh_Hant
+
+[django.core]
+file_filter = django/conf/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/conf/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-admin]
+file_filter = django/contrib/admin/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/admin/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-admin-js]
+file_filter = django/contrib/admin/locale/<lang>/LC_MESSAGES/djangojs.po
+source_file = django/contrib/admin/locale/en/LC_MESSAGES/djangojs.po
+source_lang = en
+
+[django.contrib-admindocs]
+file_filter = django/contrib/admindocs/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/admindocs/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-auth]
+file_filter = django/contrib/auth/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/auth/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-contenttypes]
+file_filter = django/contrib/contenttypes/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/contenttypes/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-flatpages]
+file_filter = django/contrib/flatpages/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/flatpages/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-gis]
+file_filter = django/contrib/gis/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/gis/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-humanize]
+file_filter = django/contrib/humanize/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/humanize/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-messages]
+file_filter = django/contrib/messages/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/messages/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-postgres]
+file_filter = django/contrib/postgres/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/postgres/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-redirects]
+file_filter = django/contrib/redirects/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/redirects/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-sessions]
+file_filter = django/contrib/sessions/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/sessions/locale/en/LC_MESSAGES/django.po
+source_lang = en
+
+[django.contrib-sites]
+file_filter = django/contrib/sites/locale/<lang>/LC_MESSAGES/django.po
+source_file = django/contrib/sites/locale/en/LC_MESSAGES/django.po
+source_lang = en
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
new file mode 100644
index 0000000..4a5887b
--- /dev/null
+++ b/CONTRIBUTING.rst
@@ -0,0 +1,26 @@
+======================
+Contributing to Django
+======================
+
+As an open source project, Django welcomes contributions of many forms.
+
+Examples of contributions include:
+
+* Code patches
+* Documentation improvements
+* Bug reports and patch reviews
+
+Extensive contribution guidelines are available in the repository at
+``docs/internals/contributing/``, or online at:
+
+https://docs.djangoproject.com/en/dev/internals/contributing/
+
+**Warning: non-trivial pull requests (anything more than fixing a typo) without
+Trac tickets will be closed!** `Please file a ticket`__ to suggest changes.
+
+__ https://code.djangoproject.com/newticket
+
+Django uses Trac to keep track of bugs, feature requests, and associated
+patches because GitHub doesn't provide adequate tooling for its community.
+Patches can be submitted as pull requests, but if you don't file a ticket,
+it's unlikely that we'll notice your contribution.
diff --git a/Django.egg-info/PKG-INFO b/Django.egg-info/PKG-INFO
index 28304ac..3325eae 100644
--- a/Django.egg-info/PKG-INFO
+++ b/Django.egg-info/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Django
-Version: 1.8.15
+Version: 1.8.16
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Home-page: http://www.djangoproject.com/
Author: Django Software Foundation
diff --git a/Django.egg-info/SOURCES.txt b/Django.egg-info/SOURCES.txt
index 2eda666..b989880 100644
--- a/Django.egg-info/SOURCES.txt
+++ b/Django.egg-info/SOURCES.txt
@@ -1,10 +1,15 @@
+.gitattributes
+.gitignore
+.hgignore
AUTHORS
+CONTRIBUTING.rst
INSTALL
LICENSE
MANIFEST.in
README.rst
setup.cfg
setup.py
+.tx/config
Django.egg-info/PKG-INFO
Django.egg-info/SOURCES.txt
Django.egg-info/dependency_links.txt
@@ -363,6 +368,7 @@ django/contrib/admin/util.py
django/contrib/admin/utils.py
django/contrib/admin/validation.py
django/contrib/admin/widgets.py
+django/contrib/admin/bin/compress.py
django/contrib/admin/locale/af/LC_MESSAGES/django.mo
django/contrib/admin/locale/af/LC_MESSAGES/django.po
django/contrib/admin/locale/af/LC_MESSAGES/djangojs.mo
@@ -2528,6 +2534,7 @@ django/contrib/sitemaps/management/commands/__init__.py
django/contrib/sitemaps/management/commands/ping_google.py
django/contrib/sitemaps/templates/sitemap.xml
django/contrib/sitemaps/templates/sitemap_index.xml
+django/contrib/sitemaps/tests/test_flatpages.py
django/contrib/sites/__init__.py
django/contrib/sites/admin.py
django/contrib/sites/apps.py
@@ -3084,6 +3091,7 @@ docs/index.txt
docs/make.bat
docs/spelling_wordlist
docs/_ext/applyxrefs.py
+docs/_ext/cve_role.py
docs/_ext/djangodocs.py
docs/_ext/ticket_role.py
docs/_theme/djangodocs/genindex.html
@@ -3407,6 +3415,7 @@ docs/releases/1.8.12.txt
docs/releases/1.8.13.txt
docs/releases/1.8.14.txt
docs/releases/1.8.15.txt
+docs/releases/1.8.16.txt
docs/releases/1.8.2.txt
docs/releases/1.8.3.txt
docs/releases/1.8.4.txt
diff --git a/PKG-INFO b/PKG-INFO
index 28304ac..3325eae 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Django
-Version: 1.8.15
+Version: 1.8.16
Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Home-page: http://www.djangoproject.com/
Author: Django Software Foundation
diff --git a/django/__init__.py b/django/__init__.py
index 0ceee47..f877179 100644
--- a/django/__init__.py
+++ b/django/__init__.py
@@ -1,6 +1,6 @@
from django.utils.version import get_version
-VERSION = (1, 8, 15, 'final', 0)
+VERSION = (1, 8, 16, 'final', 0)
__version__ = get_version(VERSION)
diff --git a/django/contrib/admin/bin/compress.py b/django/contrib/admin/bin/compress.py
new file mode 100644
index 0000000..7ae7ed8
--- /dev/null
+++ b/django/contrib/admin/bin/compress.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python
+import argparse
+import os
+import subprocess
+import sys
+
+js_path = os.path.join(os.path.dirname(os.path.dirname(__file__)), 'static', 'admin', 'js')
+
+
+def main():
+ description = """With no file paths given this script will automatically
+compress all jQuery-based files of the admin app. Requires the Google Closure
+Compiler library and Java version 6 or later."""
+ parser = argparse.ArgumentParser(description=description)
+ parser.add_argument('file', nargs='*')
+ parser.add_argument("-c", dest="compiler", default="~/bin/compiler.jar",
+ help="path to Closure Compiler jar file")
+ parser.add_argument("-v", "--verbose",
+ action="store_true", dest="verbose")
+ parser.add_argument("-q", "--quiet",
+ action="store_false", dest="verbose")
+ options = parser.parse_args()
+
+ compiler = os.path.expanduser(options.compiler)
+ if not os.path.exists(compiler):
+ sys.exit(
+ "Google Closure compiler jar file %s not found. Please use the -c "
+ "option to specify the path." % compiler
+ )
+
+ if not options.file:
+ if options.verbose:
+ sys.stdout.write("No filenames given; defaulting to admin scripts\n")
+ files = [os.path.join(js_path, f) for f in [
+ "actions.js", "collapse.js", "inlines.js", "prepopulate.js"]]
+ else:
+ files = options.file
+
+ for file_name in files:
+ if not file_name.endswith(".js"):
+ file_name = file_name + ".js"
+ to_compress = os.path.expanduser(file_name)
+ if os.path.exists(to_compress):
+ to_compress_min = "%s.min.js" % "".join(file_name.rsplit(".js"))
+ cmd = "java -jar %s --js %s --js_output_file %s" % (compiler, to_compress, to_compress_min)
+ if options.verbose:
+ sys.stdout.write("Running: %s\n" % cmd)
+ subprocess.call(cmd.split())
+ else:
+ sys.stdout.write("File %s not found. Sure it exists?\n" % to_compress)
+
+if __name__ == '__main__':
+ main()
diff --git a/django/contrib/sitemaps/tests/test_flatpages.py b/django/contrib/sitemaps/tests/test_flatpages.py
new file mode 100644
index 0000000..36bdcf3
--- /dev/null
+++ b/django/contrib/sitemaps/tests/test_flatpages.py
@@ -0,0 +1,62 @@
+from __future__ import unicode_literals
+
+import warnings
+from unittest import skipUnless
+
+from django.apps import apps
+from django.conf import settings
+from django.contrib.sitemaps import FlatPageSitemap
+from django.test import SimpleTestCase, ignore_warnings
+from django.utils.deprecation import RemovedInDjango19Warning
+
+from .base import SitemapTestsBase
+
+
+class FlatpagesSitemapTests(SitemapTestsBase):
+
+ @ignore_warnings(category=RemovedInDjango19Warning)
+ @skipUnless(apps.is_installed('django.contrib.flatpages'),
+ "django.contrib.flatpages app not installed.")
+ def test_flatpage_sitemap(self):
+ "Basic FlatPage sitemap test"
+
+ # Import FlatPage inside the test so that when django.contrib.flatpages
+ # is not installed we don't get problems trying to delete Site
+ # objects (FlatPage has an M2M to Site, Site.delete() tries to
+ # delete related objects, but the M2M table doesn't exist.
+ from django.contrib.flatpages.models import FlatPage
+
+ public = FlatPage.objects.create(
+ url='/public/',
+ title='Public Page',
+ enable_comments=True,
+ registration_required=False,
+ )
+ public.sites.add(settings.SITE_ID)
+ private = FlatPage.objects.create(
+ url='/private/',
+ title='Private Page',
+ enable_comments=True,
+ registration_required=True
+ )
+ private.sites.add(settings.SITE_ID)
+ response = self.client.get('/flatpages/sitemap.xml')
+ # Public flatpage should be in the sitemap
+ self.assertContains(response, '<loc>%s%s</loc>' % (self.base_url, public.url))
+ # Private flatpage should not be in the sitemap
+ self.assertNotContains(response, '<loc>%s%s</loc>' % (self.base_url, private.url))
+
+
+class FlatpagesSitemapDeprecationTests(SimpleTestCase):
+
+ def test_deprecation(self):
+ with warnings.catch_warnings(record=True) as warns:
+ warnings.simplefilter('always')
+ FlatPageSitemap()
+
+ self.assertEqual(len(warns), 1)
+ self.assertEqual(
+ str(warns[0].message),
+ "'django.contrib.sitemaps.FlatPageSitemap' is deprecated. "
+ "Use 'django.contrib.flatpages.sitemaps.FlatPageSitemap' instead.",
+ )
diff --git a/django/db/backends/oracle/creation.py b/django/db/backends/oracle/creation.py
index b7373e8..28475a6 100644
--- a/django/db/backends/oracle/creation.py
+++ b/django/db/backends/oracle/creation.py
@@ -4,10 +4,10 @@ import time
from django.conf import settings
from django.db.backends.base.creation import BaseDatabaseCreation
from django.db.utils import DatabaseError
+from django.utils.crypto import get_random_string
from django.utils.six.moves import input
TEST_DATABASE_PREFIX = 'test_'
-PASSWORD = 'Im_a_lumberjack'
class DatabaseCreation(BaseDatabaseCreation):
@@ -188,7 +188,11 @@ class DatabaseCreation(BaseDatabaseCreation):
]
# Ignore "user already exists" error when keepdb is on
acceptable_ora_err = 'ORA-01920' if keepdb else None
- self._execute_allow_fail_statements(cursor, statements, parameters, verbosity, acceptable_ora_err)
+ success = self._execute_allow_fail_statements(cursor, statements, parameters, verbosity, acceptable_ora_err)
+ # If the password was randomly generated, change the user accordingly.
+ if not success and self._test_settings_get('PASSWORD') is None:
+ set_password = "ALTER USER %(user)s IDENTIFIED BY %(password)s"
+ self._execute_statements(cursor, [set_password], parameters, verbosity)
# Most test-suites can be run without the create-view privilege. But some need it.
extra = "GRANT CREATE VIEW TO %(user)s"
success = self._execute_allow_fail_statements(cursor, [extra], parameters, verbosity, 'ORA-01031')
@@ -263,7 +267,7 @@ class DatabaseCreation(BaseDatabaseCreation):
"""
settings_dict = self.connection.settings_dict
val = settings_dict['TEST'].get(key, default)
- if val is None:
+ if val is None and prefixed:
val = TEST_DATABASE_PREFIX + settings_dict[prefixed]
return val
@@ -280,7 +284,11 @@ class DatabaseCreation(BaseDatabaseCreation):
return self._test_settings_get('USER', prefixed='USER')
def _test_database_passwd(self):
- return self._test_settings_get('PASSWORD', default=PASSWORD)
+ password = self._test_settings_get('PASSWORD')
+ if password is None and self._test_user_create():
+ # Oracle passwords are limited to 30 chars and can't contain symbols.
+ password = get_random_string(length=30)
+ return password
def _test_database_tblspace(self):
return self._test_settings_get('TBLSPACE', prefixed='USER')
diff --git a/django/http/request.py b/django/http/request.py
index 398cf20..c680a39 100644
--- a/django/http/request.py
+++ b/django/http/request.py
@@ -85,12 +85,13 @@ class HttpRequest(object):
if server_port != ('443' if self.is_secure() else '80'):
host = '%s:%s' % (host, server_port)
- # There is no hostname validation when DEBUG=True
- if settings.DEBUG:
- return host
+ # Allow variants of localhost if ALLOWED_HOSTS is empty and DEBUG=True.
+ allowed_hosts = settings.ALLOWED_HOSTS
+ if settings.DEBUG and not allowed_hosts:
+ allowed_hosts = ['localhost', '127.0.0.1', '[::1]']
domain, port = split_domain_port(host)
- if domain and validate_host(domain, settings.ALLOWED_HOSTS):
+ if domain and validate_host(domain, allowed_hosts):
return host
else:
msg = "Invalid HTTP_HOST header: %r." % host
diff --git a/docs/_ext/cve_role.py b/docs/_ext/cve_role.py
new file mode 100644
index 0000000..254d3e6
--- /dev/null
+++ b/docs/_ext/cve_role.py
@@ -0,0 +1,27 @@
+"""
+An interpreted text role to link docs to CVE issues. To use: :cve:`XXXXX`
+"""
+from docutils import nodes, utils
+from docutils.parsers.rst import roles
+
+
+def cve_role(name, rawtext, text, lineno, inliner, options=None, content=None):
+ if options is None:
+ options = {}
+
+ url_pattern = inliner.document.settings.env.app.config.cve_url
+ if url_pattern is None:
+ msg = inliner.reporter.warning("cve not configured: please configure cve_url in conf.py")
+ prb = inliner.problematic(rawtext, rawtext, msg)
+ return [prb], [msg]
+
+ url = url_pattern % text
+ roles.set_classes(options)
+ node = nodes.reference(rawtext, utils.unescape('CVE-%s' % text), refuri=url, **options)
+ return [node], []
+
+
+def setup(app):
+ app.add_config_value('cve_url', None, 'env')
+ app.add_role('cve', cve_role)
+ return {'parallel_read_safe': True}
diff --git a/docs/conf.py b/docs/conf.py
index 557ccfd..1bdefc0 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -45,6 +45,7 @@ extensions = [
"sphinx.ext.intersphinx",
"sphinx.ext.viewcode",
"ticket_role",
+ "cve_role",
]
# Spelling check needs an additional module that is not installed by default.
@@ -372,5 +373,6 @@ epub_cover = ('', 'epub-cover.html')
# If false, no index is generated.
# epub_use_index = True
-# -- ticket options ------------------------------------------------------------
+# -- custom extension options --------------------------------------------------
+cve_url = 'https://web.nvd.nist.gov/view/vuln/detail?vulnId=%s'
ticket_url = 'https://code.djangoproject.com/ticket/%s'
diff --git a/docs/ref/contrib/sitemaps.txt b/docs/ref/contrib/sitemaps.txt
index a0490fd..b3ce1df 100644
--- a/docs/ref/contrib/sitemaps.txt
+++ b/docs/ref/contrib/sitemaps.txt
@@ -377,7 +377,8 @@ Here's what the relevant URLconf lines would look like for the example above::
urlpatterns = [
url(r'^sitemap\.xml$', views.index, {'sitemaps': sitemaps}),
- url(r'^sitemap-(?P<section>.+)\.xml$', views.sitemap, {'sitemaps': sitemaps}),
+ url(r'^sitemap-(?P<section>.+)\.xml$', views.sitemap, {'sitemaps': sitemaps},
+ name='django.contrib.sitemaps.views.sitemap'),
]
This will automatically generate a :file:`sitemap.xml` file that references
@@ -423,7 +424,7 @@ parameter to the ``sitemap`` and ``index`` views via the URLconf::
url(r'^custom-sitemap-(?P<section>.+)\.xml$', views.sitemap, {
'sitemaps': sitemaps,
'template_name': 'custom_sitemap.html'
- }),
+ }, name='django.contrib.sitemaps.views.sitemap'),
]
diff --git a/docs/ref/models/querysets.txt b/docs/ref/models/querysets.txt
index 0eee8fc..9d45f01 100644
--- a/docs/ref/models/querysets.txt
+++ b/docs/ref/models/querysets.txt
@@ -1795,21 +1795,25 @@ the given ``kwargs``. If a match is found, it updates the fields passed in the
This is meant as a shortcut to boilerplatish code. For example::
+ defaults = {'first_name': 'Bob'}
try:
obj = Person.objects.get(first_name='John', last_name='Lennon')
- for key, value in updated_values.iteritems():
+ for key, value in defaults.items():
setattr(obj, key, value)
obj.save()
except Person.DoesNotExist:
- updated_values.update({'first_name': 'John', 'last_name': 'Lennon'})
- obj = Person(**updated_values)
+ new_values = {'first_name': 'John', 'last_name': 'Lennon'}
+ new_values.update(defaults)
+ obj = Person(**new_values)
obj.save()
This pattern gets quite unwieldy as the number of fields in a model goes up.
The above example can be rewritten using ``update_or_create()`` like so::
obj, created = Person.objects.update_or_create(
- first_name='John', last_name='Lennon', defaults=updated_values)
+ first_name='John', last_name='Lennon',
+ defaults={'first_name': 'Bob'},
+ )
For detailed description how names passed in ``kwargs`` are resolved see
:meth:`get_or_create`.
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt
index 30a2c7d..d6f6e7c 100644
--- a/docs/ref/settings.txt
+++ b/docs/ref/settings.txt
@@ -108,14 +108,18 @@ If the ``Host`` header (or ``X-Forwarded-Host`` if
list, the :meth:`django.http.HttpRequest.get_host()` method will raise
:exc:`~django.core.exceptions.SuspiciousOperation`.
-When :setting:`DEBUG` is ``True`` or when running tests, host validation is
-disabled; any host will be accepted. Thus it's usually only necessary to set it
-in production.
+When :setting:`DEBUG` is ``True`` and ``ALLOWED_HOSTS`` is empty, the host
+is validated against ``['localhost', '127.0.0.1', '[::1]']``.
This validation only applies via :meth:`~django.http.HttpRequest.get_host()`;
if your code accesses the ``Host`` header directly from ``request.META`` you
are bypassing this security protection.
+.. versionchanged:: 1.8.16
+
+ In older versions, ``ALLOWED_HOSTS`` wasn't checked if ``DEBUG=True``, but
+ it's now checked to prevent a DNS rebinding attack.
+
.. setting:: ALLOWED_INCLUDE_ROOTS
ALLOWED_INCLUDE_ROOTS
@@ -773,7 +777,11 @@ Default: ``None``
This is an Oracle-specific setting.
The password to use when connecting to the Oracle database that will be used
-when running tests. If not provided, Django will use a hardcoded default value.
+when running tests. If not provided, Django will generate a random password.
+
+.. versionchanged:: 1.8.16
+
+ Older versions used a hardcoded default password.
.. setting:: TEST_TBLSPACE
diff --git a/docs/releases/1.8.16.txt b/docs/releases/1.8.16.txt
new file mode 100644
index 0000000..9cd82d8
--- /dev/null
+++ b/docs/releases/1.8.16.txt
@@ -0,0 +1,43 @@
+===========================
+Django 1.8.16 release notes
+===========================
+
+*November 1, 2016*
+
+Django 1.8.16 fixes two security issues in 1.8.15.
+
+User with hardcoded password created when running tests on Oracle
+=================================================================
+
+When running tests with an Oracle database, Django creates a temporary database
+user. In older versions, if a password isn't manually specified in the database
+settings ``TEST`` dictionary, a hardcoded password is used. This could allow
+an attacker with network access to the database server to connect.
+
+This user is usually dropped after the test suite completes, but not when using
+the ``manage.py test --keepdb`` option or if the user has an active session
+(such as an attacker's connection).
+
+A randomly generated password is now used for each test run.
+
+DNS rebinding vulnerability when ``DEBUG=True``
+===============================================
+
+Older versions of Django don't validate the ``Host`` header against
+``settings.ALLOWED_HOSTS`` when ``settings.DEBUG=True``. This makes them
+vulnerable to a `DNS rebinding attack
+<http://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/>`_.
+
+While Django doesn't ship a module that allows remote code execution, this is
+at least a cross-site scripting vector, which could be quite serious if
+developers load a copy of the production database in development or connect to
+some production services for which there's no development instance, for
+example. If a project uses a package like the ``django-debug-toolbar``, then
+the attacker could execute arbitrary SQL, which could be especially bad if the
+developers connect to the database with a superuser account.
+
+``settings.ALLOWED_HOSTS`` is now validated regardless of ``DEBUG``. For
+convenience, if ``ALLOWED_HOSTS`` is empty and ``DEBUG=True``, the following
+variations of localhost are allowed ``['localhost', '127.0.0.1', '::1']``. If
+your local settings file has your production ``ALLOWED_HOSTS`` value, you must
+now omit it to get those fallback values.
diff --git a/docs/releases/1.8.txt b/docs/releases/1.8.txt
index e00c56b..083b1d1 100644
--- a/docs/releases/1.8.txt
+++ b/docs/releases/1.8.txt
@@ -1189,7 +1189,7 @@ Miscellaneous
Be careful if you upgrade to Django 1.8 and skip Django 1.7. If you run
``manage.py migrate --fake``, this migration will be skipped and you'll see
a ``RuntimeError: Error creating new content types.`` exception because the
- ``name`` column won't be dropped from the database. Use ``migrate.py migrate
+ ``name`` column won't be dropped from the database. Use ``manage.py migrate
--fake-initial`` to fake only the initial migration instead.
* :djadmin:`migrate` now accepts the :djadminopt:`--fake-initial` option to
diff --git a/docs/releases/index.txt b/docs/releases/index.txt
index b80ce58..134da0f 100644
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -25,6 +25,7 @@ versions of the documentation contain the release notes for any later releases.
.. toctree::
:maxdepth: 1
+ 1.8.16
1.8.15
1.8.14
1.8.13
diff --git a/docs/releases/security.txt b/docs/releases/security.txt
index c7ba75f..898b7f3 100644
--- a/docs/releases/security.txt
+++ b/docs/releases/security.txt
@@ -1,5 +1,3 @@
-.. _security-releases:
-
==========================
Archive of security issues
==========================
@@ -39,25 +37,27 @@ Some security issues were handled before Django had a formalized
security process in use. For these, new releases may not have been
issued at the time and CVEs may not have been assigned.
-August 16, 2006 - CVE-2007-0404
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+August 16, 2006 - :cve:`2007-0404`
+----------------------------------
-`CVE-2007-0404 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0404&cid=3>`_: Filename validation issue in translation framework. `Full description <https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
+Filename validation issue in translation framework. `Full description
+<https://www.djangoproject.com/weblog/2006/aug/16/compilemessages/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.90 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.91 `(patch) <https://github.com/django/django/commit/518d406e53>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/a132d411c6>`__ (released January 21 2007)
-January 21, 2007 - CVE-2007-0405
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+January 21, 2007 - :cve:`2007-0405`
+-----------------------------------
-`CVE-2007-0405 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0405&cid=3>`_: Apparent "caching" of authenticated user. `Full description <https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
+Apparent "caching" of authenticated user. `Full description
+<https://www.djangoproject.com/weblog/2007/jan/21/0951/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.95 `(patch) <https://github.com/django/django/commit/e89f0a6558>`__
@@ -67,650 +67,677 @@ Issues under Django's security process
All other security issues have been handled under versions of Django's
security process. These are listed below.
-October 26, 2007 - CVE-2007-5712
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+October 26, 2007 - :cve:`2007-5712`
+-----------------------------------
-`CVE-2007-5712 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5712&cid=3>`_: Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
+Denial-of-service via arbitrarily-large ``Accept-Language`` header. `Full
+description <https://www.djangoproject.com/weblog/2007/oct/26/security-fix/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.91 `(patch) <https://github.com/django/django/commit/8bc36e726c9e8c75c681d3ad232df8e882aaac81>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/412ed22502e11c50dbfee854627594f0e7e2c234>`__
* Django 0.96 `(patch) <https://github.com/django/django/commit/7dd2dd08a79e388732ce00e2b5514f15bd6d0f6f>`__
-May 14, 2008 - CVE-2008-2302
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+May 14, 2008 - :cve:`2008-2302`
+-------------------------------
-`CVE-2008-2302 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2302&cid=3>`_: XSS via admin login redirect. `Full description <https://www.djangoproject.com/weblog/2008/may/14/security/>`__
+XSS via admin login redirect. `Full description
+<https://www.djangoproject.com/weblog/2008/may/14/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.91 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/50ce7fb57d>`__
* Django 0.96 `(patch) <https://github.com/django/django/commit/7791e5c050>`__
-September 2, 2008 - CVE-2008-3909
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+September 2, 2008 - :cve:`2008-3909`
+------------------------------------
-`CVE-2008-3909 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3909&cid=3>`_: CSRF via preservation of POST data during admin login. `Full description <https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
+CSRF via preservation of POST data during admin login. `Full description
+<https://www.djangoproject.com/weblog/2008/sep/02/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.91 `(patch) <https://github.com/django/django/commit/44debfeaa4473bd28872c735dd3d9afde6886752>`__
* Django 0.95 `(patch) <https://github.com/django/django/commit/aee48854a164382c655acb9f18b3c06c3d238e81>`__
* Django 0.96 `(patch) <https://github.com/django/django/commit/7e0972bded362bc4b851c109df2c8a6548481a8e>`__
-July 28, 2009 - CVE-2009-2659
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+July 28, 2009 - :cve:`2009-2659`
+--------------------------------
-`CVE-2009-2659 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2659&cid=3>`_: Directory-traversal in development server media handler. `Full description <https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
+Directory-traversal in development server media handler. `Full description
+<https://www.djangoproject.com/weblog/2009/jul/28/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 0.96 `(patch) <https://github.com/django/django/commit/da85d76fd6>`__
* Django 1.0 `(patch) <https://github.com/django/django/commit/df7f917b7f>`__
-October 9, 2009 - CVE-2009-3965
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+October 9, 2009 - :cve:`2009-3965`
+----------------------------------
-`CVE-2009-3965 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3695&cid=3>`_: Denial-of-service via pathological regular expression performance. `Full description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
+Denial-of-service via pathological regular expression performance. `Full
+description <https://www.djangoproject.com/weblog/2009/oct/09/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.0 `(patch) <https://github.com/django/django/commit/594a28a904>`__
* Django 1.1 `(patch) <https://github.com/django/django/commit/e3e992e18b>`__
-September 8, 2010 - CVE-2010-3082
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+September 8, 2010 - :cve:`2010-3082`
+------------------------------------
-`CVE-2010-3082 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3082&cid=3>`_: XSS via trusting unsafe cookie value. `Full description <https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
+XSS via trusting unsafe cookie value. `Full description
+<https://www.djangoproject.com/weblog/2010/sep/08/security-release/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/7f84657b6b>`__
-December 22, 2010 - CVE-2010-4534
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+December 22, 2010 - :cve:`2010-4534`
+------------------------------------
-`CVE-2010-4534 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4534&cid=3>`_: Information leakage in administrative interface. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
+Information leakage in administrative interface. `Full description
+<https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/17084839fd>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/85207a245b>`__
-December 22, 2010 - CVE-2010-4535
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+December 22, 2010 - :cve:`2010-4535`
+------------------------------------
-`CVE-2010-4535 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4535&cid=2>`_: Denial-of-service in password-reset mechanism. `Full description <https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
+Denial-of-service in password-reset mechanism. `Full description
+<https://www.djangoproject.com/weblog/2010/dec/22/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/7f8dd9cbac>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/d5d8942a16>`__
-February 8, 2011 - CVE-2011-0696
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+February 8, 2011 - :cve:`2011-0696`
+-----------------------------------
-`CVE-2011-0696 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0696&cid=2>`_: CSRF via forged HTTP headers. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
+CSRF via forged HTTP headers. `Full description
+<https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/408c5c873c>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/818e70344e>`__
-February 8, 2011 - CVE-2011-0697
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+February 8, 2011 - :cve:`2011-0697`
+-----------------------------------
-`CVE-2011-0697 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0697&cid=2>`_: XSS via unsanitized names of uploaded files. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
+XSS via unsanitized names of uploaded files. `Full description
+<https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/1966786d2d>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/1f814a9547>`__
-February 8, 2011 - CVE-2011-0698
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+February 8, 2011 - :cve:`2011-0698`
+-----------------------------------
-`CVE-2011-0698 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0698&cid=2>`_: Directory-traversal on Windows via incorrect path-separator handling. `Full description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
+Directory-traversal on Windows via incorrect path-separator handling. `Full
+description <https://www.djangoproject.com/weblog/2011/feb/08/security/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.1 `(patch) <https://github.com/django/django/commit/570a32a047>`__
* Django 1.2 `(patch) <https://github.com/django/django/commit/194566480b>`__
-September 9, 2011 - CVE-2011-4136
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+September 9, 2011 - :cve:`2011-4136`
+------------------------------------
-`CVE-2011-4136 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4136&cid=2>`_: Session manipulation when using memory-cache-backed session. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+Session manipulation when using memory-cache-backed session. `Full description
+<https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/ac7c3a110f>`__
* Django 1.3 `(patch) <https://github.com/django/django/commit/fbe2eead2f>`__
-September 9, 2011 - CVE-2011-4137
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+September 9, 2011 - :cve:`2011-4137`
+------------------------------------
-`CVE-2011-4137 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4137&cid=2>`_: Denial-of-service via via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+Denial-of-service via ``URLField.verify_exists``. `Full description
+<https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/7268f8af86>`__
* Django 1.3 `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
-September 9, 2011 - CVE-2011-4138
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+September 9, 2011 - :cve:`2011-4138`
+------------------------------------
-`CVE-2011-4138 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4138&cid=2>`_: Information leakage/arbitrary request issuance via ``URLField.verify_exists``. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+Information leakage/arbitrary request issuance via ``URLField.verify_exists``.
+`Full description
+<https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2: `(patch) <https://github.com/django/django/commit/7268f8af86>`__
* Django 1.3: `(patch) <https://github.com/django/django/commit/1a76dbefdf>`__
-September 9, 2011 - CVE-2011-4139
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+September 9, 2011 - :cve:`2011-4139`
+------------------------------------
-`CVE-2011-4139 <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4139&cid=2>`_: ``Host`` header cache poisoning. `Full description <https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
+``Host`` header cache poisoning. `Full description
+<https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/>`__
Versions affected
------------------
+~~~~~~~~~~~~~~~~~
* Django 1.2 `(patch) <https://github.com/django/django/commit/c613af4d64>`__
* Django 1.3 `(patch) <https://github.com/django/django/commit/2f7fadc38e>`__
-September 9, 2011 - CVE-2011-4140
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
... 790 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-django.git
More information about the Python-modules-commits
mailing list