Django 1.10.3 版本发行说明

    Django 1.10.3 修复了 1.10.2 中的两个安全问题和几个漏洞。

    This user is usually dropped after the test suite completes, but not when using the manage.py test --keepdb option or if the user has an active session (such as an attacker’s connection).

    Older versions of Django don’t validate the Host header against settings.ALLOWED_HOSTS when settings.DEBUG=True. This makes them vulnerable to a DNS rebinding attack.

    settings.ALLOWED_HOSTS is now validated regardless of DEBUG. For convenience, if is empty and DEBUG=True, the following variations of localhost are allowed ['localhost', '127.0.0.1', '::1']. If your local settings file has your production ALLOWED_HOSTS value, you must now omit it to get those fallback values.

    • Allowed User.is_authenticated and User.is_anonymous properties to be tested for set membership ().
    • Fixed a performance regression when running migrate in projects with RenameModel operations (#27279).
    • Made the JavaScriptCatalog view respect the packages argument; previously it was ignored ().
    • Fixed QuerySet.bulk_create() on PostgreSQL when the number of objects is a multiple plus one of batch_size (#27385).
    • Replaced a possibly incorrect redirect from SessionMiddleware when a session is destroyed in a concurrent request with a SuspiciousOperation to indicate that the request can’t be completed ().