Weblog

Errata for yesterday's security release announcement

Yesterday, we announced a security release to address a number of issues that had been brought to our attention. However, that announcement contained one error, and one omission.

Firstly, the error: the example given in the blog entry was misleading. The sample JavaScript code will work for users of Django 1.1.4, but not for users of Django 1.2.5 or trunk. If you are using trunk or Django 1.2.5, you will need to use slightly different Javascript code to extract the CSRF token from a cookie. Django's documentation for CSRF handling contains the correct examples (see the 1.1, 1.2 and trunk documentation respectively).

Secondly, the omission: we neglected to mention that the 1.2.5 release contains three other minor backwards incompatibilities. These incompatibilities relate to the process of deleting files stored in a FileField, the interpretation of initial SQL during testing, and a change to the internals of admin list_filter validation introduced in Django 1.2.4. We generally go to extraordinary lengths to avoid backwards incompatibilities of any kind, but in the case of these three changes, it was not possible to resolve bugs while preserving full backwards compatibility. For more details, see the 1.2.5 release notes.

We deeply apologize for any inconvenience caused by these errors.

Posted by Russell Keith-Magee on February 10, 2011