Fixed settings leak possibility in date template filter¶

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.

Bugfixes¶

• Fixed a crash of the debug view during the autumn DST change when USE_TZ is False and pytz is installed.
• Fixed a regression in 1.8.6 that caused database routers without an allow_migrate() method to crash (#25686).
• Fixed a regression in 1.8.6 by restoring the ability to use Manager objects for the queryset argument of ModelChoiceField (#25683).
• Fixed a regression in 1.8.6 that caused an application with South migrations in the migrations directory to fail (#25618).
• Fixed a data loss possibility with Prefetch if to_attr is set to a ManyToManyField (#25693).
• Fixed a regression in 1.8 by making gettext() once again return UTF-8 bytestrings on Python 2 if the input is a bytestring (#25720).
• Fixed serialization of DateRangeField and DateTimeRangeField (#24937).
• Fixed the exact lookup of ArrayField (#25666).
• Fixed Model.refresh_from_db() updating of ForeignKey fields with on_delete=models.SET_NULL (#25715).
• Fixed a duplicate query regression in 1.8 on proxied model deletion (#25685).
• Fixed set_FOO_order() crash when the ForeignKey of a model with order_with_respect_to references a model with a OneToOneField primary key (#25786).
• Fixed incorrect validation for PositiveIntegerField and PositiveSmallIntegerField on MySQL resulting in values greater than 4294967295 or 65535, respectively, passing validation and being silently truncated by the database (#25767).