CVE-2018-6188: Information leakage in AuthenticationForm¶

A regression in Django 1.11.8 made AuthenticationForm run its confirm_login_allowed() method even if an incorrect password is entered. This can leak information about a user, depending on what messages confirm_login_allowed() raises. If confirm_login_allowed() isn’t overridden, an attacker enter an arbitrary username and see if that user has been set to is_active=False. If confirm_login_allowed() is overridden, more sensitive details could be leaked.

This issue is fixed with the caveat that AuthenticationForm can no longer raise the « This account is inactive. » error if the authentication backend rejects inactive users (the default authentication backend, ModelBackend, has done that since Django 1.10). This issue will be revisited for Django 2.1 as a fix to address the caveat will likely be too invasive for inclusion in older versions.

Correction de bogues¶

• Fixed hidden content at the bottom of the « The install worked successfully! » page for some languages (#28885).
• Fixed incorrect foreign key nullification if a model has two foreign keys to the same model and a target model is deleted (#29016).
• Fixed regression in the use of QuerySet.values_list(..., flat=True) followed by annotate() (#29067).
• Fixed a regression where a queryset that annotates with geometry objects crashes (#29054).
• Fixed a regression where contrib.auth.authenticate() crashes if an authentication backend doesn’t accept request and a later one does (#29071).
• Fixed a regression where makemigrations crashes if a migrations directory doesn’t have an __init__.py file (#29091).
• Fixed crash when entering an invalid uuid in ModelAdmin.raw_id_fields (#29094).