Notes de publication de Django 2.0.2¶
February 1, 2018
Django 2.0.2 fixes a security issue and several bugs in 2.0.1.
CVE-2018-6188: Information leakage in AuthenticationForm
¶
A regression in Django 1.11.8 made
AuthenticationForm
run its
confirm_login_allowed()
method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed()
raises. If confirm_login_allowed()
isn’t
overridden, an attacker enter an arbitrary username and see if that user has
been set to is_active=False
. If confirm_login_allowed()
is overridden,
more sensitive details could be leaked.
This issue is fixed with the caveat that AuthenticationForm
can no longer
raise the « This account is inactive. » error if the authentication backend
rejects inactive users (the default authentication backend, ModelBackend
,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.
Correction de bogues¶
- Fixed hidden content at the bottom of the « The install worked successfully! » page for some languages (#28885).
- Fixed incorrect foreign key nullification if a model has two foreign keys to the same model and a target model is deleted (#29016).
- Fixed regression in the use of
QuerySet.values_list(..., flat=True)
followed byannotate()
(#29067). - Fixed a regression where a queryset that annotates with geometry objects crashes (#29054).
- Fixed a regression where
contrib.auth.authenticate()
crashes if an authentication backend doesn’t acceptrequest
and a later one does (#29071). - Fixed a regression where
makemigrations
crashes if a migrations directory doesn’t have an__init__.py
file (#29091). - Fixed crash when entering an invalid uuid in
ModelAdmin.raw_id_fields
(#29094).