Django 2.0.8 リリースノート

2018年8月1日

Django 2.0.8 では、2.0.7 にあった1つのセキュリティの問題と、いくつかのバグを修正しました。

CVE-2018-14574: CommonMiddleware に対するオープンリダイレクトの可能性

If the CommonMiddleware and the APPEND_SLASH setting are both enabled, and if the project has a URL pattern that accepts any path ending in a slash (many content management systems have such a pattern), then a request to a maliciously crafted URL of that site could lead to a redirect to another site, enabling phishing and other attacks.

CommonMiddleware now escapes leading slashes to prevent redirects to other domains.

Bugfixes

  • Fixed a regression in Django 2.0.7 that broke the regex lookup on MariaDB (even though MariaDB isn't officially supported) (#29544).
  • Fixed a regression where django.template.Template crashed if the template_string argument is lazy (#29617).