Django 1.2.4 版本发行说明

    This is the fourth “bugfix” release in the Django 1.2 series, improving the stability and performance of the Django 1.2 codebase.

    With one exception, Django 1.2.4 maintains backwards compatibility with Django 1.2.3. It also contains a number of fixes and other improvements. Django 1.2.4 is a recommended upgrade for any development or deployment currently using or targeting Django 1.2.

    For full details on the new features, backwards incompatibilities, and deprecated features in the 1.2 branch, see the Django 1.2 版本发行说明.

    One historically-undocumented and -unofficially-supported feature has been the ability for a user with sufficient knowledge of a model’s structure and the format of these lookup arguments to invent useful new filters on the fly by manipulating the querystring.

    However, it has been demonstrated that this can be abused to gain access to information outside of an admin user’s permissions; for example, an attacker with access to the admin and sufficient knowledge of model structure and relations could construct query strings which — with repeated use of regular-expression lookups supported by the Django database API — expose sensitive information such as users’ password hashes.

    To remedy this, will now validate that querystring lookup arguments either specify only fields on the model being viewed, or cross relations which have been explicitly allowed by the application developer using the pre-existing mechanism mentioned above. This is backwards-incompatible for any users relying on the prior ability to insert arbitrary lookups.

    One of the bugs fixed in Django 1.2.4 involves a set of circumstances whereby a running a test suite on a multiple database configuration could cause the original source database (i.e., the actual production database) to be dropped, causing catastrophic loss of data. In order to provide a fix for this problem, it was necessary to introduce a new setting — — that allows you to define any creation order dependencies in your database configuration.

    Most users — even users with multiple-database configurations — need not be concerned about the data loss bug, or the manual configuration of TEST_DEPENDENCIES. See the documentation on controlling the creation order of test databases for details.

    The function-based previously used to execute the GeoDjango test suite, , was finally deprecated in favor of a class-based test runner, , added in this release.