August 13, 2013
This is Django 1.5.2, a bugfix and security release for Django 1.5.
Django relies on user input in some cases (e.g.
i18n) to redirect the user to an "on success" URL.
The security checks for these redirects (namely
django.utils.http.is_safe_url()) didn't check if the scheme is
and as such allowed
is_safe_url() to provide safe redirect targets and put such a
URL into a link, they could suffer from a XSS attack. This bug doesn't affect
Django currently, since we only put this URL into the
URLField is used in Django 1.5, it displays the
current value of the field and a link to the target on the admin change page.
The display routine of this widget was flawed and allowed for XSS.
prefetch_related()(#19607) as well as some
prefetch_related(#20157 and #20257).
django.contrib.gisin the Google Map output on Python 3 (#20773).
DjangoTestSuiteRunner.setup_databasesproperly handle aliases for the default database (#19940) and prevented
teardown_databasesfrom attempting to tear down aliases (#20681).
get_many()method on Python 3 (#20722).
django.contrib.humanizetranslation syntax errors. Affected languages: Mexican Spanish, Mongolian, Romanian, Turkish (#20695).
get()exceptions recursed infinitely (#20278).
makemessagesno longer crashes with
geojsondetection with SpatiaLite.
assertContains()once again works with binary content (#20237).
ManyToManyFieldif it has a Unicode
SCRIPT_NAMEenvironment variable or the
FORCE_SCRIPT_NAMEsetting, regardless of whether or not either has a trailing slash (#20169).
override_settings()decorator. If you hit an
AttributeError: 'Settings' object has no attribute '_original_allowed_hosts'exception, it's probably fixed (#20636).