Django 1.8.4 release notes
August 18, 2015
Django 1.8.4 fixes a security issue and several bugs in 1.8.3.
Denial-of-service possibility in logout() view by filling session store
Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout() view (provided it wasn’t decorated
with login_required() as done in the
admin). This could allow an attacker to easily create many new session records
by sending repeated requests, potentially filling up the session store or
causing other users’ session records to be evicted.
The SessionMiddleware has been
modified to no longer create empty session records, including when
SESSION_SAVE_EVERY_REQUEST is active.
- Added the ability to serialize values from the newly added
- Added a system check warning if the old TEMPLATE_* settings are defined
in addition to the new TEMPLATES setting.
- Fixed QuerySet.raw() so InvalidQuery is not raised when using the
db_column name of a ForeignKey field with primary_key=True
- Prevented an exception in TestCase.setUpTestData() from leaking the
- Fixed has_changed() method in contrib.postgres.forms.HStoreField
- Fixed the recording of squashed migrations when running the migrate
- Moved the unsaved model instance assignment data loss check to Model.save() to allow easier usage
of in-memory models (#25160).
- Prevented varchar_patterns_ops and text_patterns_ops indexes for