Django 1.7.11 release notes

November 24, 2015

Django 1.7.11 fixes a security issue and a data loss bug in 1.7.10.

Fixed settings leak possibility in date template filter

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.

Bugfixes

  • Fixed a data loss possibility with Prefetch if to_attr is set to a ManyToManyField (#25693).