February 1, 2018
Django 2.0.2 fixes a security issue and several bugs in 2.0.1.
AuthenticationForm¶A regression in Django 1.11.8 made
AuthenticationForm run its
confirm_login_allowed() method even if an incorrect password is entered.
This can leak information about a user, depending on what messages
confirm_login_allowed() raises. If confirm_login_allowed() isn’t
overridden, an attacker enter an arbitrary username and see if that user has
been set to is_active=False. If confirm_login_allowed() is overridden,
more sensitive details could be leaked.
This issue is fixed with the caveat that AuthenticationForm can no longer
raise the « This account is inactive. » error if the authentication backend
rejects inactive users (the default authentication backend, ModelBackend,
has done that since Django 1.10). This issue will be revisited for Django 2.1
as a fix to address the caveat will likely be too invasive for inclusion in
older versions.
QuerySet.values_list(..., flat=True)
followed by annotate() (#29067).contrib.auth.authenticate() crashes if an
authentication backend doesn’t accept request and a later one does
(#29071).makemigrations crashes if a migrations directory
doesn’t have an __init__.py file (#29091).ModelAdmin.raw_id_fields
(#29094).mars 30, 2019