Django 1.8.7 release notes

November 24, 2015

Django 1.8.7 fixes a security issue and several bugs in 1.8.6.

Additionally, Django’s vendored version of six, django.utils.six, has been upgraded to the latest release (1.10.0).

Fixed settings leak possibility in date template filter

If an application allows users to specify an unvalidated format for dates and passes this format to the date filter, e.g. {{ last_updated|date:user_date_format }}, then a malicious user could obtain any secret in the application’s settings by specifying a settings key instead of a date format. e.g. "SECRET_KEY" instead of "j/m/Y".

To remedy this, the underlying function used by the date template filter, django.utils.formats.get_format(), now only allows accessing the date/time formatting settings.


  • Fixed a crash of the debug view during the autumn DST change when USE_TZ is False and pytz is installed.
  • Fixed a regression in 1.8.6 that caused database routers without an allow_migrate() method to crash (#25686).
  • Fixed a regression in 1.8.6 by restoring the ability to use Manager objects for the queryset argument of ModelChoiceField (#25683).
  • Fixed a regression in 1.8.6 that caused an application with South migrations in the migrations directory to fail (#25618).
  • Fixed a data loss possibility with Prefetch if to_attr is set to a ManyToManyField (#25693).
  • Fixed a regression in 1.8 by making gettext() once again return UTF-8 bytestrings on Python 2 if the input is a bytestring (#25720).
  • Fixed serialization of DateRangeField and DateTimeRangeField (#24937).
  • Fixed the exact lookup of ArrayField (#25666).
  • Fixed Model.refresh_from_db() updating of ForeignKey fields with on_delete=models.SET_NULL (#25715).
  • Fixed a duplicate query regression in 1.8 on proxied model deletion (#25685).
  • Fixed set_FOO_order() crash when the ForeignKey of a model with order_with_respect_to references a model with a OneToOneField primary key (#25786).
  • Fixed incorrect validation for PositiveIntegerField and PositiveSmallIntegerField on MySQL resulting in values greater than 4294967295 or 65535, respectively, passing validation and being silently truncated by the database (#25767).