November 24, 2015
Django 1.8.7 fixes a security issue and several bugs in 1.8.6.
Additionally, Django’s vendored version of six, django.utils.six, has
been upgraded to the latest release (1.10.0).
date template filter¶If an application allows users to specify an unvalidated format for dates and
passes this format to the date filter, e.g.
{{ last_updated|date:user_date_format }}, then a malicious user could
obtain any secret in the application’s settings by specifying a settings key
instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".
To remedy this, the underlying function used by the date template filter,
django.utils.formats.get_format(), now only allows accessing the date/time
formatting settings.
USE_TZ is False and pytz is installed.allow_migrate() method to crash (#25686).Manager
objects for the queryset argument of ModelChoiceField
(#25683).migrations directory to fail (#25618).Prefetch if
to_attr is set to a ManyToManyField (#25693).gettext() once again return UTF-8
bytestrings on Python 2 if the input is a bytestring (#25720).DateRangeField and
DateTimeRangeField (#24937).ArrayField (#25666).Model.refresh_from_db() updating of ForeignKey fields with
on_delete=models.SET_NULL (#25715).set_FOO_order() crash when the ForeignKey of a model with
order_with_respect_to references a model with a OneToOneField
primary key (#25786).PositiveIntegerField and
PositiveSmallIntegerField on MySQL resulting in values greater than
4294967295 or 65535, respectively, passing validation and being silently
truncated by the database (#25767).déc. 02, 2017