2019 年 12 月 18 日
Django 1.11.27 修复了 1.11.26 中的一个安全问题和一个数据丢失漏洞。
By submitting a suitably crafted email address making use of Unicode characters, that compared equal to an existing user email when lower-cased for comparison, an attacker could be sent a password reset token for the matched account.
In order to avoid this vulnerability, password reset requests now compare the submitted email using the stricter, recommended algorithm for case-insensitive comparison of two identifiers from Unicode Technical Report 36, section 2.11.2(B)(2). Upon a match, the email containing the reset token will be sent to the email address on record rather than the submitted address.
SplitArrayField
. When using with
ArrayField(BooleanField())
, all values after the first True
value
were marked as checked instead of preserving passed values (#31073).12月 05, 2023