Weblog

August archive

New: Google sitemap generator

August 31, 2006

Thanks to an awesome contribution from Dan Watson, we've added a Google sitemap generator to django.contrib in the Django development version.

A sitemap is an XML file on your Web site that tells search-engine indexers how frequently your pages change and how "important" certain pages are in relation to other pages on your site. This information helps search engines index your site. The Django sitemap framework automates the creation of this XML file by letting you express this information in Python code.

In the grand Django tradition, it's simple yet powerful and flexible. Just write a Python class and hook it into your URLconf, and voila: You've got a sitemap. This was so easy to do that we set up a sitemap for djangoproject.com. It's something we probably never would've done otherwise, but it was so easy to do that we figured we might as well. I suspect others will follow the same path.

Full documentation is available. Those of you familiar with Django's syndication framework will feel right at home.

Article at eWeek

August 29, 2006

Mainstream-media coverage of Django is always nice to see. The folks at eWeek have written and published an article about Django: Django: Python on a Plane.

Five-week Django training in Chicago

August 28, 2006

It's come to our attention that DePaul University in the beautiful city of Chicago is holding a five-week Django course.

Here's more info, directly from the source:

We are pleased to introduce our latest certificate program, the Web Development with Python and Django Program. This program will focus on rapid and efficient development of Web applications using LAMP (Linux, Apache, MySQL and Python) and Django. The program deals with Apache, MySQL and Python as a generic platform, and deals with Django as a specific example of a modern, integrated Web development framework. We will cover installation, configuration, programming and deployment of these tools with particular focus on security and business continuity. The program is designed for application developers, system analysts, database administrators, and technical support professionals. Prospective students should have a solid programming background that includes Web development experience, and basic knowledge of systems administration.

The fall session of the Web Development with Python and Django Program is scheduled to meet on five Thursday evenings at DePaul's Loop Campus, beginning on September 28th. In addition, there is an option to enroll in an online section instead of the on-campus section. More details about this program may be found at http://ipd.cti.depaul.edu/wdpd/Prog_wdpd.htm.

Weeks in review: Aug. 22

August 22, 2006

Here are the highlights of Django improvements over the past few weeks (since version 0.95 was released). Aside from many small tweaks, bug fixes and usability improvements, here are some substantial new improvements in the Django development version:

  • Changeset 3520: No more need to edit MD5 or SHA hashes when creating users via the Django admin site! We've created a special-case 'Add user' admin view.
  • Changeset 3554: URLconfs can be passed callable objects as an alternative to strings. See the new documentation.
  • Changeset 3570: Added a SESSION_COOKIE_SECURE setting. If it's set to True, your session cookies will use the "secure" flag.
  • Changeset 3601: Added some cool new operators for the Admin "search_fields" parameter, so you can specify, for instance, that the search match only against the beginning of the database column, for performance. See the new search_fields documentation.
  • Changeset 3602: Added a middleware class called SetRemoteAddrFromForwardedFor. It's useful if you're behind a reverse proxy and want to convert the HTTP_X_FORWARDED_FOR header to REMOTE_ADDR automatically. See the new SetRemoteAddrFromForwardedFor documentation.
  • We've added a How to read the Django documentation document. (Yes, this is documentation about documentation. Rest assured we have no plans to write a document about how to read the document about documentation.)
  • We've created a 0.90-bugfixes branch and a 0.91-bugfixes branch. They're for people stuck on older releases of Django who can't immediately upgrade but run into bugs that have been fixed in the newest version but hadn't been backported. James Bennett is maintaining these branches, checking in bug fixes as they come up.

Small security hole fixed in translation helper utility

August 16, 2006

The Django team discovered and fixed a small security hole in the django/bin/compile-messages.py helper script, which is the script that compiles language translation message files (.po files) into binary format (.mo files).

The compile-messages.py script uses the name of the .po file to build arguments to a system command, and it didn't sufficiently validate the filename for potentially malicious content.

Users who relied on the language translation files provided with Django, or who wrote and compiled their own translations, were never at risk. Users who never ran the compile-messages.py script were never at risk. Only users who compiled third-party translations without examining the filenames first were potentially vulnerable.

No exploit based on this vulnerability, proof-of-concept or otherwise, is known to have existed.

Due to the nature of the vulnerability, we do not feel this merits a new release of Django. However, users who rely on third parties to supply translation files -- such as Django's own i18n maintainers -- are encouraged either to patch their code in one of these ways:

  • Upgrade to the latest Django trunk (the Django development version).
  • Simply overwrite your copy of django/bin/compile-messages.py with the new version. This file has not changed in any backwards-incompatible way since before Django version 0.90, so it's safe to copy over, regardless of which Django version you're using.
  • We've applied the patches to Subversion "bug-fix" branches for both previous Django versions, 0.90 and 0.91. You can access those branches here:

    • svn co http://code.djangoproject.com/svn/django/branches/0.90-bugfixes
    • svn co http://code.djangoproject.com/svn/django/branches/0.91-bugfixes

If none of those solutions is possible, we strongly encourage users to examine the names of translation files carefully before compiling them. Of course, the same standards should be applied when examining translation files from untrusted third parties as would be applied to any code received from an untrusted source.

(All users are advised, as always, to keep in mind the risks of using any file from a third-party source, and to carefully examine any third-party code before executing it.)

This security hole was fixed in changeset 3592. The patch is available here.

If you're interested in how we fixed the error, see the excellent document String replacements in command lines.

Thanks to Rene Dudfield for reporting this.

How the Django team handles security

August 10, 2006

In the wake of the Ruby on Rails mandatory security patch and its awkward handling, we've been discussing how we can avoid such a problem in the Django community.

In case you haven't seen it, our How to contribute to Django document has a Reporting security issues section, which describes our policy. Take the 30 seconds to read that.

In addition to that policy, which we've had for a while, today we created a django-announce mailing list. It's a low-traffic, announcement-only mailing list. We'll send a message to it for new Django releases, significant feature additions and security alerts. If you're a Django user, it'd be a good idea for you to sign up for this list.

Django at OSCON, recap

August 8, 2006

OSCON 2006, the O'Reilly open-source convention in Portland, Oregon, USA, was outstanding, with plenty of both formal and informal Django activities.

Jacob kicked off the pre-conference tutorial track with a well-attended, 3.5-hour Django tutorial. The crowd included several (probably safe to say "former") Ruby on Rails developers.

As the conference began, Django was the focus of a slide in Tim O'Reilly keynote speech. That was pretty cool.

Adrian did a Django talk at the O'Reilly "Executive Briefing," during the "Who's on the O'Reilly Open Source Radar?" session. According to O'Reilly, Django is one of the "projects that we think should be on your radar."

Moving on, Jacob presented a Django overview to a great audience. Adrian did a State of Django lightning talk -- and unfortunately couldn't fit all of the goals and upcoming features into the strict five-minute time limit!

Finally, in one of the highlights of the week, we had a Django meet-n-greet, attended by all sorts of interesting people, from independent Web developers to Disney employees to Googlers. It was great to match faces to names. Malcolm Tredinnick, whose name you surely recognize if you're a member of the django-users mailing list, came from Australia.

We didn't take nearly as many photos as we should have, but we've compiled the best ones and created a Django at OSCON 2006 Tabblo. We figured it'd be appropriate, because not only is Tabblo.com a great way of displaying event-specific photos -- the site is Django-powered.

Guido likes Django

August 7, 2006

Python creator Guido van Rossum has nice things to say about Django in the latest FLOSS Weekly podcast (a podcast devoted to Free Libre Open Source Software). With regard to Web frameworks, Guido says:

"My personal favorite -- and I expect that that will remain a personal favorite for a long time -- is something named Django. ... I highly recommend it."

Check it out! The Django discussion is about 50 minutes in, but the whole interview is well worth listening to.