========================== Django 1.8.7 release notes ========================== *November 24, 2015* Django 1.8.7 fixes a security issue and several bugs in 1.8.6. Additionally, Django's vendored version of six, ``django.utils.six``, has been upgraded to the latest release (1.10.0). Fixed settings leak possibility in ``date`` template filter =========================================================== If an application allows users to specify an unvalidated format for dates and passes this format to the :tfilter:`date` filter, e.g. ``{{ last_updated|date:user_date_format }}``, then a malicious user could obtain any secret in the application's settings by specifying a settings key instead of a date format. e.g. ``"SECRET_KEY"`` instead of ``"j/m/Y"``. To remedy this, the underlying function used by the ``date`` template filter, ``django.utils.formats.get_format()``, now only allows accessing the date/time formatting settings. Bugfixes ======== * Fixed a crash of the debug view during the autumn DST change when :setting:`USE_TZ` is ``False`` and ``pytz`` is installed. * Fixed a regression in 1.8.6 that caused database routers without an ``allow_migrate()`` method to crash (:ticket:`25686`). * Fixed a regression in 1.8.6 by restoring the ability to use ``Manager`` objects for the ``queryset`` argument of ``ModelChoiceField`` (:ticket:`25683`). * Fixed a regression in 1.8.6 that caused an application with South migrations in the ``migrations`` directory to fail (:ticket:`25618`). * Fixed a data loss possibility with :class:`~django.db.models.Prefetch` if ``to_attr`` is set to a ``ManyToManyField`` (:ticket:`25693`). * Fixed a regression in 1.8 by making ``gettext()`` once again return UTF-8 bytestrings on Python 2 if the input is a bytestring (:ticket:`25720`). * Fixed serialization of :class:`~django.contrib.postgres.fields.DateRangeField` and :class:`~django.contrib.postgres.fields.DateTimeRangeField` (:ticket:`24937`). * Fixed the exact lookup of ``ArrayField`` (:ticket:`25666`). * Fixed ``Model.refresh_from_db()`` updating of ``ForeignKey`` fields with ``on_delete=models.SET_NULL`` (:ticket:`25715`). * Fixed a duplicate query regression in 1.8 on proxied model deletion (:ticket:`25685`). * Fixed ``set_FOO_order()`` crash when the ``ForeignKey`` of a model with ``order_with_respect_to`` references a model with a ``OneToOneField`` primary key (:ticket:`25786`). * Fixed incorrect validation for ``PositiveIntegerField`` and ``PositiveSmallIntegerField`` on MySQL resulting in values greater than 4294967295 or 65535, respectively, passing validation and being silently truncated by the database (:ticket:`25767`).