May 20, 2015
Django 1.8.2 fixes a security issue and several bugs in 1.8.1.
A change to
session.flush() in the
cached_db session backend in Django
1.8 mistakenly sets the session key to an empty string rather than
empty string is treated as a valid session key and the session cookie is set
accordingly. Any users with an empty string in their session cookie will use
the same session store.
session.flush() is called by
django.contrib.auth.logout() and, more seriously, by
django.contrib.auth.login() when a user switches accounts. If a user is
logged in and logs in again to a different account (without logging out) the
session is flushed to avoid reuse. After the session is flushed (and its
session key becomes
'') the account details are set on the session and the
session is saved. Any users with an empty string in their session cookie will
now be logged into that account.
Caseinstance in a query (#24752).
Caseexpressions. For example, annotating a query with a
Caseexpression could unexpectedly filter out results (#24766).
Qobjects in expressions. Cases like
Case(When(~Q(friends__age__lte=30)))tried to generate a subquery which resulted in a crash (#24705).
ForeignKeys pointing to
UUIDFieldand inheritance on models with
UUIDFieldprimary keys work correctly (#24698, #24712).
postgresdatabase, Django now falls back to the default database when it normally requires a "no database" connection (#24791).
ForeignKeywidget when it's used in a row with other fields (#24784).