August 18, 2015
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
logout()view by filling session store¶
Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout() view (provided it wasn't decorated
login_required() as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.
TEMPLATE_*settings are defined in addition to the new
InvalidQueryis not raised when using the
db_columnname of a
TestCase.setUpTestData()from leaking the transaction (#25176).
Model.save()to allow easier usage of in-memory models (#25160).