2019 年 12 月 18 日
Django 1.11.27 修复了 1.11.26 中的一个安全问题和一个数据丢失漏洞。
By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.
In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.
SplitArrayField. When using with
ArrayField(BooleanField()), all values after the first True value
were marked as checked instead of preserving passed values (#31073).5月 12, 2023