Recent Entries

Tech (64)

The Django weblog (64)

Admin

Feed

Unread

Website

Latest news about Django, the Python web framework.

From The Django weblog at 2022-09-21 14:49:50

2022 Django Developers Survey

Please take a moment to fill it out the 2022 Django Developers Survey. We are once again partnering with JetBrains and it is available in 10 different languages.

The survey is an important metric of Django usage and helps guide future technical and community decisions. One recent example is past surveys demonstrated how popular Redis is and built-in caching support was added in Django 4.0 as a direct result of that feedback.

After the survey is over, the aggregated results and anonymized raw data will be published.

From The Django weblog at 2022-09-05 06:03:40

Django bugfix release: 4.1.1

Today we've issued the 4.1.1 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2022-08-03 09:58:20

Django 4.1 released

The Django team is happy to announce the release of Django 4.1.

The release notes cover the profusion of new features in detail, but a few highlights are:

You can get Django 4.1 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

With the release of Django 4.1, Django 4.0 has reached the end of mainstream support. The final minor bug fix release, 4.0.7, was issued today. Django 4.0 will receive security and data loss fixes until April 2023. All users are encouraged to upgrade before then to continue receiving fixes for security issues.

See the downloads page for a table of supported versions and the future release schedule.

From The Django weblog at 2022-08-03 08:45:57

Django security releases issued: 4.0.7 and 3.2.15

In accordance with our security release policy, the Django team is issuing Django 4.0.7, and Django 3.2.15. These releases addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2022-36359: Potential reflected file download vulnerability in FileResponse

An application may have been vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename was derived from user-supplied input. The filename is now escaped to avoid this possibility.

This issue has high severity, according to the Django security policy.

Thanks to Motoyasu Saburi for the report.

Affected supported versions

  • Django main branch
  • Django 4.1 (which will be released in a separate blog post later today)
  • Django 4.0
  • Django 3.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and the 4.1, 4.0, and 3.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2022-07-19 10:08:29

Django 4.1 release candidate 1 released

Django 4.1 release candidate 1 is the final opportunity for you to try out the profusion of new features before Django 4.1 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 4.1 will be released on or around August 3. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog at 2022-07-04 08:58:13

Django security releases issued: 4.0.6 and 3.2.14

In accordance with our security release policy, the Django team is issuing Django 4.0.6 and Django 3.2.14. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2022-34265: Potential SQL injection via Trunc(kind) and Extract(lookup_name) arguments

Trunc() and Extract() database functions were subject to SQL injection if untrusted data was used as a kind/lookup_name value.

Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

This security release mitigates the issue, but we have identified improvements to the Database API methods related to date extract and truncate that would be beneficial to add to Django 4.1 before it's final release. This will impact 3rd party database backends using Django 4.1 release candidate 1 or newer, until they are able to update to the API changes. We apologize for the inconvenience.

Thanks Takuto Yoshikai (Aeye Security Lab) for the report.

This issue has severity "high" according to the Django security policy.

Affected supported versions

  • Django main branch
  • Django 4.1 (currently at beta status)
  • Django 4.0
  • Django 3.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and to the 4.1, 4.0, and 3.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2022-06-24 22:50:09

PyCharm & DSF Campaign 2022 Results

The sixth annual JetBrains PyCharm promotion in June netted the Django Software Foundation $25,000 this year.

This amount represents over 10% of the DSF's overall budget, which goes directly into funding the continued development and support of Django via the Django Fellowship program and Django conferences worldwide.

Django Software Foundation

The Django Software Foundation is the non-profit foundation that supports the development of the Django Web framework. It funds the Django Fellowship program, which currently supports two Fellows who triage tickets, review/merge patches from the community, and work on infrastructure. The introduction of this program starting in 2015 has gone a long way towards ensuring a consistent major release cycle and the fixing/blocking of severe bugs. DSF also funds development sprints, community events like DjangoCons, and related conferences and workshops globally.

Fundraising is still ongoing and you can donate directly at djangoproject.com/fundraising.

From The Django weblog at 2022-06-21 10:30:20

Django 4.1 beta 1 released

Django 4.1 beta 1 is now available. It represents the second stage in the 4.1 release cycle and is an opportunity for you to try out the changes coming in Django 4.1.

Django 4.1 has an profusion of new features which you can read about in the in-development 4.1 release notes.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 4.1 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around August 3. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog at 2022-06-12 21:39:16

Last Chance for a DjangoCon Europe 2023

TL:DR - There will not be a DjangoCon Europe 2023 if the DSF board does not receive viable proposals for one by August 10 End of Day AoE. There is not sufficient time after that for an organizing group to plan a DjangoCon to happen in the traditional and calendar blocked window of April-June.

Hosting a DjangoCon is an ambitious undertaking. It's hard work, but each year it has been successfully run by a team of community volunteers, not all of whom have had previous experience - more important is enthusiasm, organizational skills, the ability to plan and manage budgets, time and people - and plenty of time to invest in the project.

You'll find plenty of support on offer from previous DjangoCon organizers, so you won't be on your own.

How to apply

If you're interested, we'd love to hear from you. The Porto organizers will also love the opportunity to continue tradition announce the next DjangoCon Europe during their DjangoCon

This reference helps with the logistics of putting together a DjangoCon

The more detailed and complete your proposal, the better. Things you should consider, and that we'd like to know about, are:

  • dates
  • numbers of attendees
  • venue(s)
  • accommodation
  • transport links
  • budgets and ticket prices
  • committee members

We'd like to see:

  • timelines
  • pictures
  • prices
  • draft agreements with providers
  • alternatives you have considered

They will all help show that your plans are serious and thorough and that you have the organizational capacity to make it a success.

Just drop us a line.

From The Django weblog at 2022-06-01 16:30:31

PyCharm & DSF Campaign 2022

For the sixth year in a row, Django is partnering with JetBrains PyCharm on the following promotion: 30% off the purchase of any new individual PyCharm Pro licenses with the full proceeds benefitting the Django Software Foundation. The promotion will last 19 days from June 1, 2022 to June 20, 2021.

“The Django and PyCharm partnership has become one of the major fundraising activities of the Django Software Foundation for several years now. We look forward to it each year, and we hope this year will be as great as it always is, or even better. On behalf of the Django Software Foundation and Django community, I would like to express our deepest gratitude to JetBrains for their generosity and support.” - Anna Makarudze, DSF President

From The Django weblog at 2022-06-01 13:28:49

Django bugfix release: 4.0.5

Today we've issued the 4.0.5 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00

From The Django weblog at 2022-05-23 12:00:00

The Call for Proposals for DjangoCon US 2022 Is Now Open!

The DjangoCon 2022 organizers are excited to announce that the first in-person DjangoCon since 2019 is now open for talk submissions: call for proposals! The deadline for submissions is June 10th, 2022 AoE. As long as it’s still June 10th anywhere on earth, you can submit your proposal.

We invite you to submit your proposal no matter your background or experience level with Django. Proposals can be from a wide range of topics; non-Django and community topics are welcome. You can look at our talk schedule from last year for reference.

We fancy first-timers! If you haven’t spoken at a conference or given a tutorial before, this is your invitation to do so. Don’t let the idea that you’re not famous or an expert stop you from submitting. It certainly won’t stop us from selecting your talk or tutorial and it won’t stop the audience from enjoying it!

Plus there are perks! Presenters get free admission to DjangoCon US! Grants to assist with your travel and lodging expenses are available as well. Fill out the Opportunity Grant form by June 10th, 2022. Decision notifications will be sent by July 8, 2022.

For more information on talk and tutorial formats, please check out our speaker information page.

We want everyone attending DjangoCon US to feel safe, welcome, and included. To that end, we have a Code of Conduct for all speakers and attendees.

If you have questions feel free to contact us.

We look forward to your proposals!

From The Django weblog at 2022-05-18 06:58:39

Django 4.1 alpha 1 released

Django 4.1 alpha 1 is now available. It represents the first stage in the 4.1 release cycle and is an opportunity for you to try out the changes coming in Django 4.1.

Django 4.1 has an profusion of new features which you can read about in the in-development 4.1 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog at 2022-04-11 08:55:44

Django security releases issued: 4.0.4, 3.2.13, and 2.2.28

In accordance with our security release policy, the Django team is issuing Django 4.0.4, Django 3.2.13, and Django 2.2.28. These release addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

Django 2.2 has reached the end of extended support. The final security release (2.2.28) was issued today. All Django 2.2 users are encouraged to upgrade to Django 3.2 or later.

CVE-2022-28346: Potential SQL injection in QuerySet.annotate(), aggregate(), and extra()

QuerySet.annotate(), aggregate(), and extra() methods were subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to these methods.

Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore, Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev (DDV_UA) for the report.

This issue has severity "high" according to the Django security policy.

CVE-2022-28347: Potential SQL injection via QuerySet.explain(**options) on PostgreSQL

QuerySet.explain() method was subject to SQL injection in option names, using a suitably crafted dictionary, with dictionary expansion, as the **options argument.

This issue has severity "high" according to the Django security policy.

Affected supported versions

  • Django main branch
  • Django 4.0
  • Django 3.2
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and to the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the following changesets.

CVE-2022-28346:

CVE-2022-28347:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2022-03-01 08:48:51

Django bugfix release: 4.0.3

Today we've issued the 4.0.3 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog at 2022-02-10 06:39:11

Join DEFNA! Board Member Recruitment

Django Events Foundation North America (DEFNA) is looking for another board member. We have an eight-member board; last year one of our board members stepped down. We are looking for a new board member, interested in growing the DjangoCon US community.

Board membership takes, on average, about five hours per month performing the following functions:

  • Attend the monthly board meeting
  • Participate in the grant applications review process
  • Use DEFNA’s social media channels to communicate about DEFNA
  • Come up with new and clever ways for DEFNA to fulfill our mission

If you’d like to be considered for the board, drop us a note at hello@defna.org, and let us know:

  • What interests you about being on the board
  • Your current/prior community involvement (it’s okay if you’re new—we need everyone to participate!)
  • Any particular interests you have (grants committee, corporate filings, corporate treasurer, etc.)
  • Any ideas you have for expanding DEFNA’s reach in the OSS community
  • Anything else you’d like us to know about you as a potential board member

Please email your information to us by February 21st at 6:00 PM Pacific Time. We’ll contact you if we need more details. We’ll make our decision and reply to everyone by end-of-day March 4th.

Read more about DEFNA’s board members.

From The Django weblog at 2022-02-03 06:00:00

Could you host DjangoCon Europe 2023?

DjangoCon Europe 2022 will be held from the 21st - 25th September in Porto, Portugal, hopefully, but we're already looking ahead to next year's conference. Could your town - or your football stadium, circus tent, private island, or city hall - host this wonderful community event?

Under the usual circumstances, the DjangoCon Europe licensee picks the date of the conference but the event must fall more than one month from DjangoCon US and PyCon US, and EuroPython in the same calendar year. Also, at the end of DjangoCon Europe, the next hosts for DjangoCon Europe would be announced and a call for proposals for volunteers to organise DjangoCon Europe in 2 years would be made.

However, the pandemic has disturbed this tradition for the past three years resulting in the Porto team organizing DjangoCon Europe for the third time in a row. We have also had to offer exceptional permission for DjangoCon Europe to take place less than one month away from DjangoCon US due to challenges we faced in 2021 with finding new hosts for the conference.

We are hoping to find organizers for DjangoCon Europe by April 2022 so that we can keep in line with the tradition of DjangoCon Europe taking place between April and July and announcing the next DjangoCon Europe at DjangoCon Europe 2022 in Porto.

Hosting a DjangoCon is an ambitious undertaking. It's hard work, but each year it has been successfully run by a team of community volunteers, not all of whom have had previous experience - more important is enthusiasm, organisational skills, the ability to plan and manage budgets, time and people - and plenty of time to invest in the project.

You'll find plenty of support on offer from previous DjangoCon organisers, so you won't be on your own.

How to apply

If you're interested, we'd love to hear from you. Following the established tradition, the selected hosts will be announced at this year's DjangoCon by last year's organiser but must fall more than one month from DjangoCon US and PyCon US, and EuroPython in the same calendar year, so we'll need to receive your proposal before then.

The more detailed and complete your proposal, the better. Things you should consider, and that we'd like to know about, are:

  • dates
  • numbers of attendees
  • venue(s)
  • accommodation
  • transport links
  • budgets and ticket prices
  • committee members

We'd like to see:

  • timelines
  • pictures
  • prices
  • draft agreements with providers
  • alternatives you have considered

They will all help show that your plans are serious and thorough and that you have the organisational capacity to make it a success.

Just drop us a line.

From The Django weblog at 2022-02-01 07:57:03

Django security releases issued: 4.0.2, 3.2.12, and 2.2.27

In accordance with our security release policy, the Django team is issuing Django 4.0.2, Django 3.2.12, and Django 2.2.27. These release addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2022-22818: Possible XSS via {% debug %} template tag

The {% debug %} template tag didn't properly encode the current context, posing an XSS attack vector.

In order to avoid this vulnerability, {% debug %} no longer outputs an information when the DEBUG setting is False, and it ensures all context variables are correctly escaped when the DEBUG setting is True.

Thanks Keryn Knight for the report.

This issue has severity "medium" according to the Django security policy.

CVE-2022-23833: Denial-of-service possibility in file uploads

Passing certain inputs to multipart forms could result in an infinite loop when parsing files.

Thanks Alan Ryan for the report.

This issue has severity "medium" according to the Django security policy.

Affected supported versions

  • Django main branch
  • Django 4.0
  • Django 3.2
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and to the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the following changesets.

CVE-2022-22818:

CVE-2022-23833:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2022-01-21 06:00:00

Announcing DjangoCon Europe 2022

We are happy to announce DjangoCon Europe 2022 will take place in Porto, Portugal 🇵🇹 hopefully! Let us explain, and believe us that there is a lot to explain.

DjangoCon Europe is hosted annually by an independent volunteer team. This volunteer team submits a proposal to DSF, which will then select the most suitable one from all the proposals. We knew from the start it would be daunting for a new team to submit for 2022, in these uncertain times. So, we pledged our availability to host another DjangoCon, but only if there was no other team submitting a proposal.

Do not get us wrong, we love the idea of welcoming you all in our city and country, we have been trying for the last two years, but we felt we should give other teams the chance, so we have not submitted an official proposal, just a backup plan, most of all we didn’t want to spend a year without a DjangoCon Europe.

Being here means no other team was available, understandingly so. Our main advantage is: having organised the previous two editions we are able to quickly set up keeping up the momentum.

We will try for the third time to host an in-person event, but a safe one. This means it will be hybrid from the start, both for speakers and participants. We want to give freedom of choice as well as being prepared for unforeseeable issues, which seem to be the new normal. Please keep in mind this might change in a heartbeat and we might end up with yet another online-only event, but let us hope for a bit more.

On another note, you might have noticed the unusual dates for DjangoCon Europe, which usually takes place during the first half of the year. DSF tried to find a new team to host, but due to the lack of viable proposals eventually contacted us in mid-November. Finding a suitable date on such short notice, avoiding other events, and booking a venue left us with little to no choices. To this end, we would like to thank both DEFNA and DSF for the exceptional permission as it will be unusually close to DjangoCon US.

So, DjangoCon Europe 2022 is back again and it’s going to be 5 full days of talks, tutorials and sprints - from September 21 to 25:

  • Conference talks: September 21-23 (Wednesday-Friday)
  • Sprints: September 24-25 (Saturday and Sunday)

In the near future, we will have more info about the conference, which we will publish on the website. This will include more details about the tickets, talks, workshops, grants, code of conduct, etc. For now, here is a summary of that info.

Grants

As with past years, there will be a travel grants program to assist people with financial difficulties, people who are under-represented or from marginalised groups - allowing access to an event that otherwise would be very difficult position for them to attend;

Sponsors

If you're interested in sponsoring the event, please get in touch at sponsors@djangocon.eu.

Talk proposals

You can already start to prepare your talk, and for that, we recommend that you watch the talk “How To Get On This Stage (And What To Do When You Get There)” by Mark Smith. If you think you have something great to talk about – start to prepare your talk! If you are unsure, talk it over with somebody, or go to Slack to find previous speakers and participants to discuss your idea with. When in doubt, submit your talk!

Volunteers

As you can imagine there is a lot to do, but it's very much worth it – DjangoCon Europe is an extremely friendly, open, inclusive, and informative (for beginners and advanced users alike) conference. Join us regardless of your prior experience: this is also an opportunity to learn! In other words, you don't have to be an expert to join. Below are the teams and their activities/responsibilities that we seek help with:

  • Communications: Press, community relations, announcements, social media, attendee tools, volunteer coordination
  • Support and hospitality: Helpdesk, attendee support contact, visa help, travel management, chat support for attendees, on-site volunteer organization, speaker support;
  • Financial aid and diversity advocate: Setup, grant selection, aid organization, accessibility considerations, outreach on-site;
  • Sponsors: Outreach to companies, organizing their logistics at the event and other types of visibility;
  • Program: Committee work, talk selection, scheduling, session chairs, sprint/open space/keynote/lightning talks session organization (we will open the CFP soon!);
  • Code of Conduct: Drafting documents, handling of requests and issues.

You can apply through this form here.

Your location before and during the event is not significant, since it will be hosted in a hybrid format. We can do all things that need to be done in Porto ourselves. The only important thing is that you have the energy and free time to help organize a wonderful DjangoCon Europe. The official language of all these prior activities will be English, as well as the conference itself.

--

We expect new challenges but pledge our hearts and minds to do the best DjangoCon Europe we can, never giving up under these strenuous conditions. Please consider volunteering and join us, we need you!

We hope we'll see you all at DjangoCon Europe 2022, and don't forget to follow us @djangoconeurope on Twitter, and also join our dedicated Slack channel.


Hoping for the best,

The DjangoCon Europe 2022 Organisers

From The Django weblog at 2022-01-04 10:00:54

Django security releases issued: 4.0.1, 3.2.11, and 2.2.26

In accordance with our security release policy, the Django team is issuing Django 4.0.1, Django 3.2.11, and Django 2.2.26. These release addresses the security issues detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-45115: Denial-of-service possibility in UserAttributeSimilarityValidator

UserAttributeSimilarityValidator incurred significant overhead evaluating submitted password that were artificially large in relative to the comparison values. On the assumption that access to user registration was unrestricted this provided a potential vector for a denial-of-service attack.

In order to mitigate this issue, relatively long values are now ignored by UserAttributeSimilarityValidator.

This issue has severity "medium" according to the Django security policy.

CVE-2021-45116: Potential information disclosure in dictsort template filter

Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure or unintended method calls, if passed a suitably crafted key.

In order to avoid this possibility, dictsort now works with a restricted resolution logic, that will not call methods, nor allow indexing on dictionaries.

As a reminder, all untrusted user input should be validated before use.

This issue has severity "low" according to the Django security policy.

CVE-2021-45452: Potential directory-traversal via Storage.save()

Storage.save() allowed directory-traversal if directly passed suitably crafted file names.

This issue has severity "low" according to the Django security policy.

Affected supported versions

  • Django main branch
  • Django 4.0
  • Django 3.2
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and to the 4.0, 3.2, and 2.2 release branches. The patches may be obtained from the following changesets.

CVE-2021-45115:

CVE-2021-45116:

CVE-2021-45452:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2022-01-03 18:15:10

Django Developers Survey 2021 Results

We are excited to share the results of the annual Django Developers Survey which was conducted this year in collaboration with JetBrains. More than 7,000 Django users from almost 140 countries took the survey which covered a broad list of topics including Django usage, operating systems, libraries, tools, and many other insights.

View the results of the 2021 Django Developers Survey.

If you have feedback on the findings and how to improve the survey in future years please share on the official Django Forum or Twitter and other social media mentioning @djangoproject and @jetbrains along with the #djangosurvey hashtag.

Thank you to everyone who participated!

From The Django weblog at 2021-12-17 14:36:30

2021 Malcolm Tredinnick Memorial Prize awarded to Adam Johnson

The Board of the Django Software Foundation is pleased to announce that the 2021 Malcolm Tredinnick Memorial Prize has been awarded to Adam Johnson.

Adam Johnson is a member of the Django Technical Board and a longtime member of the security team. He has contributed a huge amount of code to Django itself and maintains multiple Django third-party packages. He is a co-organizer of The London Django Meetup and regularly gives talks at Django and Python conferences. He has also written a book on Django testing and his personal blog has a lot of content educating people on Python and Django best practices. He is actively helpful on Twitter and the Django mailing lists.

Jeff Triplet, one of the six people who nominated Adam had this to say about Adam:

I think Adam Johnson has done an incredible amount of work and deserves recognition. Between his numerous Django-focused OSS work, his work on Django itself, being on the Technical Board, his weekly blogging efforts, organizing the London Django meetups, speaking at conferences, and being a friendly and welcoming community member with his online persona. I have never formally met Adam, but he seems like a genuinely nice person too.

Other nominations for this year included:

  • Andrew Godwin
  • Anna Makarudze
  • Carlton Gibson
  • Dawn Wages
  • Frank Wiles
  • Haris Khan
  • Mowa Ijasanmi
  • Paolo Melchiorre
  • Simon Drabble

Each year we receive many nominations, and it is always hard to pick the winner. This year we received the highest number of nominations ever received for the Malcolm Tredinnick Memorial Price with some being nominated twice, and the highest being six times. Some people have been nominated in multiple years, so if your nominee didn’t make it this year, you can always nominate them again next year.

Malcolm would be very proud of the legacy he has fostered in our community!

From The Django weblog at 2021-12-08 14:23:55

2022 DSF Board Election Results

Here are the results of this year's election in order of most votes:

  1. Anna Makarudze
  2. William Vincent
  3. Aaron Bassett
  4. Kátia Nakamura
  5. Chaim Kirby
  6. Mfon Eti-mfon
  7. Žan Anderle

Congratulations to our winners. Our board meeting next week will close out 2021 business, ratify the election, and get down to the work of forging the future of the DSF.

Special thanks to all of the candidates we had this year. It is great to see a robust desire to participate in furthering the work of the DSF. The DSF simply isn't possible without the help of all of our volunteers.

From The Django weblog at 2021-12-07 09:26:10

Django 4.0 released

The Django team is happy to announce the release of Django 4.0.

The release notes cover the abundance of new features in detail, but a few highlights are:

You can get Django 4.0 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

With the release of Django 4.0, Django 3.2 has reached the end of mainstream support. The final minor bug fix release, 3.2.10, was issued today. Django 3.2 is an LTS release and will receive security and data loss fixes until April 2024. All users are encouraged to upgrade before then to continue receiving fixes for security issues.

Django 3.1 has reached the end of extended support. The final security release (3.1.14) was issued today. All Django 3.1 users are encouraged to upgrade to Django 3.2 or later.

See the downloads page for a table of supported versions and the future release schedule.

From The Django weblog at 2021-12-07 07:35:47

Django security releases issued: 3.2.10, 3.1.14, and 2.2.25

In accordance with our security release policy, the Django team is issuing Django 3.2.10, Django 3.1.14, and Django 2.2.25. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-44420: Potential bypass of an upstream access control based on URL paths

HTTP requests for URLs with trailing newlines could bypass an upstream access control based on URL paths.

This issue has low severity, according to the Django security policy.

Thanks to Sjoerd Job Postmus and TengMA(@te3t123) for the report.

Affected supported versions

  • Django main branch
  • Django 4.0 (which will be released in a separate blog post later today)
  • Django 3.2
  • Django 3.1
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and the 4.0, 3.2, 3.1, and 2.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-11-22 06:39:46

Django 4.0 release candidate 1 released

Django 4.0 release candidate 1 is the final opportunity for you to try out the abundance of new features before Django 4.0 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 4.0 will be released on or around December 6. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to the issue tracker). You can grab a copy of the package from our downloads page or on PyPI.

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2021-11-16 06:00:30

2022 DSF Board Nominations

It is that time again to begin to elect next year’s Django Software Foundation’s Board of Directors!

As you know, the Board guides the direction of the marketing, governance, and outreach activities of the Django community. We provide funding, resources, and guidance to Django events on a global level. Further we provide support to the Django community with an established Code of Conduct and make decisions and enforcement recommendations for violations. We work closely with our corporate and individual members to raise funds to help support our great community.

In order for our community to continue to grow and advance the Django Web framework, we need your help. The Board of Directors consists of volunteers who are elected to one-year terms. This is an excellent opportunity to help advance Django. We can’t do it without volunteers, such as yourself. For the most part, the time commitment is a few hours per month. Anyone including current Board members, DSF Members, or the public at large can apply to the Board. It is open to all who wish to participate.

If you are interested in helping to support the development of Django we’d enjoy receiving your application for the Board of Directors. Please fill out the application form by November 30th, 2021 AoE to be considered. Once we have our candidates we will open a week-long voting period.

If you have any questions about applying, the work, or the process in general please don’t hesitate to reach out via email to foundation@djangoproject.com and one of us will get back to you shortly.

Thank you for your time and we look forward to working with you in 2022.

The 2021 DSF Board of Directors

Application Form.

From The Django weblog at 2021-11-12 06:00:30

Nominations for 2021 Malcolm Tredinnick Memorial Prize

Hello Everyone!

It is that time of year again when we recognize someone from our community in memory of our friend Malcolm.

Malcolm was an early core contributor to Django and had both a huge influence and impact on Django as we know it today. Besides being knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him to this day.

The DSF Prize page summarizes the prize nicely:

The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps.

We will take nominations until Thursday, November 26th, 2021 AoE and will announce the winner soon after the next DSF Board meeting in December.

Please make your nominations using this google form.

If you have any questions please reach out to the DSF Board at foundation@djangoproject.com.

From The Django weblog at 2021-11-01 09:28:25

Django bugfix release: 3.2.9

Today we've issued the 3.2.9 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2021-10-25 10:14:33

Django 4.0 beta 1 released

Django 4.0 beta 1 is now available. It represents the second stage in the 4.0 release cycle and is an opportunity for you to try out the changes coming in Django 4.0.

Django 4.0 has an abundance of new features which you can read about in the in-development 4.0 release notes.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 4.0 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around December 6. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2021-10-05 08:54:58

Django bugfix release: 3.2.8

Today we've issued the 3.2.8 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00

From The Django weblog at 2021-09-21 20:10:46

Django 4.0 alpha 1 released

Django 4.0 alpha 1 is now available. It represents the first stage in the 4.0 release cycle and is an opportunity for you to try out the changes coming in Django 4.0.

Django 4.0 has a abundance of new features which you can read about in the in-development 4.0 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2021-09-01 06:54:22

Django bugfix release: 3.2.7

Today we've issued the 3.2.7 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2021-08-04 13:49:12

2021 Django Developers Survey

The 2021 Django Developers Survey is now live. Please take a moment to fill it out. The survey sheds light on how different developers use Django and the related tools and technologies. After the survey is over, the aggregated results and anonymized raw data will be published.

From The Django weblog at 2021-08-01 07:31:58

Django bugfix release: 3.2.6

Today we've issued the 3.2.6 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00

From The Django weblog at 2021-07-01 07:42:04

Django security releases issued: 3.2.5 and 3.1.13

In accordance with our security release policy, the Django team is issuing Django 3.2.5 and Django 3.1.13. These releases address the security issue with severity "high" detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-35042: Potential SQL injection via unsanitized QuerySet.order_by() input

Unsanitized user input passed to QuerySet.order_by() could bypass intended column reference validation in path marked for deprecation resulting in a potential SQL injection even if a deprecation warning is emitted.

As a mitigation the strict column reference validation was restored for the duration of the deprecation period. This regression appeared in 3.1 as a side effect of fixing #31426.

The issue is not present in the main branch as the deprecated path has been removed.

Thanks to Joel Saunders for the report.

Affected supported versions

  • Django 3.2
  • Django 3.1

Resolution

Patches to resolve the issue have been applied to Django's 3.2 and 3.1 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-06-02 10:07:49

Django security releases issued: 3.2.4, 3.1.12, and 2.2.24

In accordance with our security release policy, the Django team is issuing Django 3.2.4, Django 3.1.12, and Django 2.2.24. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-33203: Potential directory traversal via admindocs

Staff members could use the admindocs TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by the developers to also expose the file contents, then not only the existence but also the file contents would have been exposed.

As a mitigation, path sanitation is now applied and only files within the template root directories can be loaded.

This issue has low severity, according to the Django security policy.

Thanks to Rasmus Lerchedahl Petersen and Rasmus Wriedt Larsen from the CodeQL Python team for the report.

CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses

URLValidator, validate_ipv4_address(), and validate_ipv46_address() didn't prohibit leading zeros in octal literals. If you used such values you could suffer from indeterminate SSRF, RFI, and LFI attacks.

validate_ipv4_address() and validate_ipv46_address() validators were not affected on Python 3.9.5+.

This issue has medium severity, according to the Django security policy.

Affected supported versions

  • Django main branch
  • Django 3.2
  • Django 3.1
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and to the 3.2, 3.1, and 2.2 release branches. The patches may be obtained from the following changesets.

CVE-2021-33203:

CVE-2021-33571:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-05-26 18:45:15

Django IRC Channels migration to Libera.Chat

At approximately 3 am UTC on May 26, 2021, the operators of the Freenode IRC network assumed control of the #django* channels on that network. This means that representatives of the Django community no longer retain the ability to enforce Django's Code of Conduct on the Freenode IRC network. Additionally, we do not have the ability to set a topic on Django-related IRC channels on this network.

Please join us in #django and #django-dev on Libera.Chat for discussion of the usage and development of Django, respectively. Additionally, you may refer to our documentation on Contributing to Django for some of the other options available to you for discussion of the usage and development of Django.

From The Django weblog at 2021-05-14 14:19:49

Django 4.x Technical Board Election Results

The Technical Board for the Django 4.x release cycle will be

  • Andrew Godwin
  • Florian Apolloner
  • Simon Charette
  • Adam Johnson
  • Thomas Forbes

Congratulations to the new board and a special thank you to departing Technical Board members James Bennett and Markus Holtermann.

Thank you to everyone who participated in the nominations and voting.

Voting breakdown:

  • 49 Eligible voters opted-in to voting
  • 46 Eligible voters cast votes

Condorcet pairwise evaluation results

  1. Andrew Godwin (Condorcet winner: wins contests with all other choices)
  2. Florian Apolloner loses to Andrew Godwin by 25–8
  3. Simon Charette loses to Andrew Godwin by 28–7, loses to Florian Apolloner by 23–9
  4. Adam Johnson loses to Andrew Godwin by 27–9, loses to Simon Charette by 19–18
  5. Thomas Forbes loses to Andrew Godwin by 30–4, loses to Adam Johnson by 25–5

From The Django weblog at 2021-05-13 08:30:54

Django bugfix releases issued: 3.2.3, 3.1.11, and 2.2.23

Today we've issued 3.2.3, 3.1.11, and 2.2.23 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2021-05-06 07:17:54

Django security releases issued: 3.2.2, 3.1.10, and 2.2.22

In accordance with our security release policy, the Django team is issuing Django 3.2.2, Django 3.1.10, and Django 2.2.22. These releases address the security issue with severity "moderate" detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-32052: Header injection possibility since URLValidator accepted newlines in input on Python 3.9.5+

On Python 3.9.5+, URLValidator didn't prohibit newlines and tabs. If you used values with newlines in HTTP response, you could suffer from header injection attacks. Django itself wasn't vulnerable because HttpResponse prohibits newlines in HTTP headers.

Moreover, the URLField form field which uses URLValidator silently removes newlines and tabs on Python 3.9.5+, so the possibility of newlines entering your data only existed if you are using this validator outside of the form fields.

This issue was introduced by the bpo-43882 fix.

Affected supported versions

  • Django main branch
  • Django 3.2
  • Django 3.1
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and to the 3.2, 3.1, and 2.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-05-04 17:25:25

PyCharm & DSF Campaign 2021 Results

The fifth annual JetBrains PyCharm promotion in April netted the Django Software Foundation $45,000 this year, a slight increase over the $40,000 raised last year.

This amount represents roughly 20% of the DSF's overall budget, which goes directly into funding the continued development and support of Django via the Django Fellowship program and Django conferences worldwide.

Django Software Foundation

The Django Software Foundation is the non-profit foundation that supports the development of the Django Web framework. It funds the Django Fellowship program, which currently supports two Fellows who triage tickets, review/merge patches from the community, and work on infrastructure. The introduction of this program starting in 2015 has gone a long way towards ensuring a consistent major release cycle and the fixing/blocking of severe bugs. DSF also funds development sprints, community events like DjangoCons, and related conferences and workshops globally.

Fundraising is still ongoing and you can donate directly at djangoproject.com/fundraising.

From The Django weblog at 2021-05-04 09:51:35

Django security releases issued: 3.2.1, 3.1.9, and 2.2.21

In accordance with our security release policy, the Django team is issuing Django 3.2.1, Django 3.1.9, and Django 2.2.21. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-31542: Potential directory-traversal via uploaded files

MultiPartParser, UploadedFile, and FieldFile allowed directory-traversal via uploaded files with suitably crafted file names.

In order to mitigate this risk, stricter basename and path sanitation is now applied. Specifically, empty file names and paths with dot segments will be rejected.

This issue has low severity, according to the Django security policy.

Thank you to Jasu Viding for the report.

Affected supported versions

  • Django main branch
  • Django 3.2
  • Django 3.1
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and to the 3.2, 3.1, and 2.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-04-21 14:33:28

Technical Board Candidate Registration

With the completion of the Django 3.x major release cycle and in accordance with DEP-10 it is now time to collect candidates for the Django Technical Board.

According to DEP-10, "Any qualified person may register as a candidate; the candidate registration form and roster of candidates SHALL be maintained by the DSF Board, and candidates MUST provide evidence of their qualifications as part of registration. The DSF Board MAY challenge and reject the registration of candidates it believes do not meet the qualifications of members of the Technical Board, or who it believes are registering in bad faith."

To make this process as simple, but useful as possible, we are only requiring you to enter your name, email, and a bio/evidence of qualifications. There are optional fields for your Github, Twitter, and website which can be useful for evaluating your qualifications.

Your email address will only be used by the DSF to contact you related to the election and process and will not be shared publicly.

Registration for Candidates will end on April 27th, 2021 AoE.

Please register using this form.

If you have questions about the election please contact foundation@djangoproject.com

From The Django weblog at 2021-04-14 17:55:52

Django Debug Toolbar security releases issued: 3.2.1, 2.2.1 and 1.11.1.

Django Debug Toolbar security releases issued: 3.2.1, 2.2.1 and 1.11.1

In accordance with the security release policies that Django and Jazzband are following, the Jazzband project team for the Django Debug Toolbar project is issuing Django Debug Toolbar 3.2.1, Django Debug Toolbar 2.2.1 and Django Debug Toolbar 1.11.1. These releases address the security issue with severity "high" detailed below. We encourage all users of Django Debug Toolbar to upgrade as soon as possible.

CVE-2021-30459 - SQL Injection via Select, Explain and Analyze forms of the SQLPanel for Django Debug Toolbar >= 0.10.0

With Django Debug Toolbar 0.10.0 and above, attackers are able to execute SQL by changing the raw_sql input of the SQL explain, analyze or select forms and submitting the form.

This is a high severity issue for anyone using the toolbar in a production environment.

Generally the Django Debug Toolbar team only maintains the latest version of django-debug-toolbar, but an exception was made because of the high severity of this issue.

The GitHub Security Advisory can be found here:

https://github.com/jazzband/django-debug-toolbar/security/advisories/GHSA-pghf-347x-c2gj

Affected supported versions

  • Django Debug Toolbar main branch
  • Django Debug Toolbar 3.2
  • Django Debug Toolbar 2.2
  • Django Debug Toolbar 1.11

Resolution

Patches to resolve the issue have been applied to Django Debug Toolbar's main branch (for the 3.2 release) and the 2.2 and 1.11 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

General notes regarding security reporting

Since this security release is for the 3rd party Django app Django Debug Toolbar, we ask to send potential security issues via private email to security@jazzband.co, and not to Django's regular security email address, nor Django's Trac instance or the django-developers list.

From The Django weblog at 2021-04-13 20:16:09

Announcement of 4.x Technical Board Election Registration

The release last week of Django 3.2 represents the final feature release of a major release series of Django. Per DEP-10 this release triggers the election for the Technical board for the Django 4.x release cycle.

All DSF members are automatically registered electors.

If you are not a DSF member and would like to apply to vote you need to register here.

The process of electing a new Technical Board will be:

  • Registration of Electors is open for one week and ending Tuesday April 20th, 2021 AoE
  • Registration of Candidates will then be open for one week ending Tuesday April 27th, 2021 AoE
  • On Tuesday May 4th all registered and approved electors will receive an email to the email address they are registered with along with a unique code to be used when voting
  • Voting will be open for one week from May 4th
  • The results of the election will be announced when voting is finished.

If you have any questions about the elevation please contact foundation@djangoproject.com.

Chaim Kirby,

Secretary, Django Software Foundation

From The Django weblog at 2021-04-06 10:35:20

Django 3.2 released

The Django team is happy to announce the release of Django 3.2.

This version has been designated as a long-term support (LTS) release, which means that security and data loss fixes will be applied for at least the next three years. It will also receive fixes for crashing bugs, major functionality bugs in newly-introduced features, and regressions from older versions of Django for the next eight months until December 2021.

As always, the release notes cover the mezcla of new features in detail, but a few highlights are:

You can get Django 3.2 from our downloads page or from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

With the release of Django 3.2, Django 3.1 has reached the end of mainstream support. The final minor bug fix release, 3.1.8, was issued today. Django 3.1 will receive security and data loss fixes until December 2021. All users are encouraged to upgrade before then to continue receiving fixes for security issues.

Django 3.0 has reached the end of extended support. The final security release (3.0.14) was issued today. All Django 3.0 users are encouraged to upgrade to Django 3.1 or later.

See the downloads page for a table of supported versions and the future release schedule.

From The Django weblog at 2021-04-06 07:42:25

Django security releases issued: 3.1.8, 3.0.14, and 2.2.20

In accordance with our security release policy, the Django team is issuing Django 3.1.8, Django 3.0.14 and Django 2.2.20. These releases address the security issue with severity "low" detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-28658: Potential directory-traversal via uploaded files

MultiPartParser allowed directory-traversal via uploaded files with suitably crafted file names.

Built-in upload handlers were not affected by this vulnerability.

Thank you to Dennis Brinkrolf for the report.

Affected supported versions

  • Django main branch
  • Django 3.2 (which will be released in a separate blog post later today)
  • Django 3.1
  • Django 3.0
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's main branch and the 3.2, 3.1, 3.0, and 2.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-04-01 12:00:00

PyCharm & DSF Campaign 2021

For the fifth year in a row, Django is partnering with JetBrains PyCharm on the following promotion: 30% off the purchase of any new individual PyCharm Professional licenses with the full proceeds benefitting the Django Software Foundation. The promotion will last 28 days from April 1, 2021 to April 29, 2021.

“The Django and PyCharm partnership has become one of the major fundraising activities of the Django Software Foundation for several years now. We look forward to it each year, and we hope this year will be as great as it always is, or even better. On behalf of the Django Software Foundation and Django community, I would like to express our deepest gratitude to JetBrains for their generosity and support.” - Anna Makarudze, DSF President

From The Django weblog at 2021-03-18 14:03:56

Django 3.2 release candidate 1 released

Django 3.2 release candidate 1 is the final opportunity for you to try out the `mezcla of new features`__ before Django 3.2 is released.

The release candidate stage marks the string freeze and the call for translators to submit translations. Provided no major bugs are discovered that can't be solved in the next two weeks, Django 3.2 will be released on or around April 6. Any delays will be communicated on the django-developers mailing list thread.

Please use this opportunity to help find and fix bugs (which should be reported to `the issue tracker`__). You can grab a copy of the package from `our downloads page`__ or on PyPI.

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

Docutils System Messages

System Message: ERROR/3 (<string>); backlinks: 1, 2, 3

Anonymous hyperlink mismatch: 3 references but 4 targets. See "backrefs" attribute for IDs.

From The Django weblog at 2021-02-19 09:37:27

Django 3.2 beta 1 released

Django 3.2 beta 1 is now available. It represents the second stage in the 3.2 release cycle and is an opportunity for you to try out the changes coming in Django 3.2.

Django 3.2 has a mescla of new features which you can read about in the in-development 3.2 release notes.

Only bugs in new features and regressions from earlier versions of Django will be fixed between now and 3.2 final (also, translations will be updated following the "string freeze" when the release candidate is issued). The current release schedule calls for a release candidate in a month from now with the final release to follow about two weeks after that around April 6. Early and often testing from the community will help minimize the number of bugs in the release. Updates on the release schedule schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the beta package from our downloads page or on PyPI.

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog at 2021-02-19 09:09:31

Django security releases issued: 3.1.7, 3.0.13 and 2.2.19

In accordance with our security release policy, the Django team is issuing Django 3.1.7, Django 3.0.13, and Django 2.2.19. These release addresses the security issue detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-23336: Web cache poisoning via django.utils.http.limited_parse_qsl()

Django contains a copy of urllib.parse.parse_qsl() which was added to backport some security fixes. A further security fix has been issued recently such that parse_qsl() no longer allows using ; as a query parameter separator by default. Django now includes this fix. See bpo-42967 for further details.

This issue has moderate severity, according to the Django security policy.

Affected supported versions

  • Django 3.2 (currently at beta status)
  • Django 3.1
  • Django 3.0
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to the 3.2, 3.1, 3.0, and 2.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for these releases is Carlton Gibson: E17DF5C82B4F9D00.

Django 3.2 beta 1 will be released in a separate blog post later today.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-02-16 06:42:39

DjangoCon Europe 2021 Announcement

This announcement retracts the previous announcement regarding the hybrid DjangoCon Europe 2021. Sadly, this year, we will not have the physical component, we are deeply sorry for our initial over-optimistic announcement.

We are happy to announce that DjangoCon Europe 2021 will take place online-only between June 2 and 6! The website is will be online soon at 2021.djangocon.eu and it will be kept up to date with the latest updates. Don't forget to follow @djangoconeurope on Twitter.

Last year, we postponed several contracts with the venue, sound team, video team, catering, security, and other partnerships. Therefore, we were prepared to organize a hybrid conference with several "in-person" restrictions (incl. negative Covid-19 test and health authority inspection). In addition to that, we would offer the virtual conference not only for everyone that was not able or not comfortable to come to Portugal.

We do believe that the chosen date would already be safer to travel, nevertheless, the general idea behind the hybrid event was to give people the choice, not to enforce any option.

We meant to do a good thing, and bring the conference to the community in a safe environment. We can now see that we might have been either too optimistic in the best case or completely misread the situation in the worst case. We apologize for our mistake and accept the criticism which made us change our view on the subject. As a result, following the DSF board and members' remarks, a virtual-only conference is the only viable path.

Last year's edition was the first virtual DjangoCon Europe ever. The conference was a huge success with more than 800 registrants from 5 different continents. With the support of everyone from grants and sponsors, we were able to offer the community 500 registrations for free! This allowed for a lot of underrepresented or marginalized groups to have access to the event that otherwise would be in a very difficult position to attend. For example, there was a group of 18 students from the Cummins College of Engineering for Women in India.

For this edition, there is a lot to do, but it's very much worth it – DjangoCon Europe is an extremely friendly, open, inclusive, and informative (for beginners and advanced users alike) conference. Here are some themes and examples of activities and responsibilities that we seek help with:

  • Communications: Press, community relations, announcements, social media, attendee tools, volunteer coordination.
  • Support and hospitality: Helpdesk, attendee support contact, chat support for attendees, speaker support.
  • Financial Aid: Setup, grant selection, aid organization
  • Sponsors: Outreach to companies, organizing their virtual presence at the event, and other types of visibility.
  • Program: Committee work, talk selection, scheduling, session chairs, sprint/open space/keynote/lightning talks session organization (we will open the CFP soon!)
  • Code of Conduct: Drafting documents, handling of requests and issues.
  • Diversity advocate: Accessibility considerations and outreach (an online-only conference is an outstanding opportunity for inclusion).

Join us regardless of your prior experience: this is also an opportunity to learn! In other words, you don't have to be an expert to join. Apply through this form here.

Your location before and during the event is not significant, since it will be hosted in a virtual format. The only important thing is that you have the energy and free time to help organize a wonderful DjangoCon Europe. The official language of all these prior activities will be English, as well as the conference itself.

Don't be shy 😊. For any inquiries, you can email us at 2021@djangocon.eu or chat with us on Slack at DjangoConEurope2021

From The Django weblog at 2021-02-01 15:00:00

DjangoCon Europe 2021 Announcement

We are happy to announce that DjangoCon Europe 2021 will take place in Porto, Portugal 🇵🇹 and online between between June 2 and 6! The website is will be online soon at 2021.djangocon.eu and it will be kept up to date with the latest updates. Don't forget to follow @djangoconeurope on Twitter.

Last year's edition was supposed to be physical, but as we are all aware that was not viable. Therefore, we organized a completely online DjangoCon Europe for the first time. The conference was a huge success with more than 800 registrants from 5 different continents. With the support of everyone from grants and sponsors, we were able to offer the community 500 registrations for free! This allowed for a lot of an under-represented or marginalised groups to have access to the event that otherwise would be in very difficult position to attend. For example, there was a group of 18 students from the Cummins College of Engineering For Women in India.

Taking into account the success and impact of the last DjangoCon Europe edition, we have decided to organize a hybrid conference this year. The conference will be held from Porto to the world, allowing for everyone's participation despite border restrictions and health issues.

The dates are already here (but don't rush into buying everything so soon because we'll have discounts for DjangoCon attendees and the dates are subject to change as you might expect):

  • Conference: June 2-4 (Wednesday-Friday)
  • Sprints/Workshops: June 5 and 6 (Saturday and Sunday)

There is a lot to do, but it's very much worth it – DjangoCon Europe is an extremely friendly, open, inclusive, and informative (for beginners and advanced users alike) conference. Here are some themes and examples of activities and responsibilities that we seek help with:

  • Communications: Press, community relations, announcements, social media, attendee tools, volunteer coordination
  • Support and hospitality: Helpdesk, attendee support contact, visa help, travel management, chat support for attendees, on-site volunteer organization, speaker support
  • Financial Aid: Setup, grant selection, aid organization
  • Sponsors: Outreach to companies, organizing their logistics at the event and other types of visibility
  • Program: Committee work, talk selection, scheduling, session chairs, sprint/open space/keynote/lightning talks session organization (we will open the CFP soon!)
  • Code of Conduct: Drafting documents, handling of requests and issues
  • Diversity advocate: Accessibility considerations, outreach on-site

Join us regardless of your prior experience: this is also an opportunity to learn! In other words, you don't have to be an expert to join. Apply through this form here.

Your location before and during the event is not significant, since it will be hosted in an hybrid format. We can do all things that need to be done in Porto ourselves. The only important thing is that you have the energy and free time to help organize a wonderful DjangoCon Europe. The official language of all these prior activities will be English, as well as the conference itself.

Don't be shy 😊. For any inquiries you can email us at 2021@djangocon.eu or chat with us on Slack at DjangoConEurope2021.

From The Django weblog at 2021-02-01 08:18:08

Django security releases issued: 3.1.6, 3.0.12, and 2.2.18

In accordance with our security release policy, the Django team is issuing Django 3.1.6, Django 3.0.12 and Django 2.2.18. These releases address the security issue with severity "low" detailed below. We encourage all users of Django to upgrade as soon as possible.

CVE-2021-3281: Potential directory-traversal via archive.extract()

The django.utils.archive.extract() function, used by startapp --template and startproject --template, allowed directory-traversal via an archive with absolute paths or relative paths with dot segments.

Thank you to Wang Baohua for the report.

Affected supported versions

  • Django master branch
  • Django 3.2 (currently at alpha status)
  • Django 3.1
  • Django 3.0
  • Django 2.2

Resolution

Patches to resolve the issue have been applied to Django's master branch and the 3.2, 3.1, 3.0, and 2.2 release branches. The patches may be obtained from the following changesets:

The following releases have been issued:

The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2021-01-19 13:15:19

Django 3.2 alpha 1 released

Django 3.2 alpha 1 is now available. It represents the first stage in the 3.2 release cycle and is an opportunity for you to try out the changes coming in Django 3.2.

Django 3.2 has a mezcla of new features which you can read about in the in-development 3.2 release notes.

This alpha milestone marks the feature freeze. The current release schedule calls for a beta release in about a month and a release candidate about a month from then. We'll only be able to keep this schedule if we get early and often testing from the community. Updates on the release schedule are available on the django-developers mailing list.

As with all alpha and beta packages, this is not for production use. But if you'd like to take some of the new features for a spin, or to help find and fix bugs (which should be reported to the issue tracker), you can grab a copy of the alpha package from our downloads page or on PyPI.

The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00

From The Django weblog at 2021-01-04 08:06:06

Django bugfix release: 3.1.5

Today we've issued the 3.1.5 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.

From The Django weblog at 2020-12-28 08:46:43

Channels security release issued: 3.0.3

In accordance with our security release policy, the Django team is issuing Channels 3.0.3. This release addresses the security issue detailed below. We encourage all users of Channels to upgrade as soon as possible.

CVE-2020-35681: Potential leakage of session data using legacy AsgiHandler

The legacy channels.http.AsgiHandler class, used for handling HTTP type requests in an ASGI environment prior to Django 3.0, did not correctly separate request scopes in Channels 3.0. In many cases this would result in a crash but, with correct timing responses could be sent to the wrong client, resulting in potential leakage of session identifiers and other sensitive data.

This issue affects Channels 3.0.x before 3.0.3, and is resolved in Channels 3.0.3.

Users of ProtocolTypeRouter not explicitly specifying the handler for the 'http' key, or those explicitly using channels.http.AsgiHandler, likely to support Django v2.2, are affected and should update immediately.

Please see the Channels version 3.0.3 release notes for full details.

General notes regarding security reporting

As always, we ask that potential security issues be reported via private email to security@djangoproject.com, and not via Django's Trac instance or the django-developers list. Please see our security policies for further information.

From The Django weblog at 2020-12-24 01:10:38

2020 Malcolm Tredinnick Memorial Prize awarded to Ken Whitesell

The Board of the Django Software Foundation is pleased to announce that the 2020 Malcolm Tredinnick Memorial Prize has been awarded to Ken Whitesell.

Ken Whitesell has been an active member of the Django forum since it started, helping new members by patiently answering their questions and making them feel welcome and has in that way helped to grow the forum. He has also volunteered many times at DjangoCon US.

Matt Layman, one of the six people who nominated Ken had this to say about Ken:

Ken is a stalwart contributor to the Django Forum. He is prolific on the forum in supporting new people with all their various questions. He is patient and kind in how he responds. I think the forum is a growing way that new people get involved in Django. Ken is a welcoming person in that arena who I believe demonstrates the qualities desired for a Malcolm Tredinnick Memorial Prize recipient.

Other nominations for this year included:

  • Adam Johnson (Adam Chainz)
  • Baptiste Mispelone
  • Carlton Gibson
  • Eyitemi Egbejule
  • Kalob Taelien
  • Matthias Kestenholz
  • William Vincent

Each year we receive many nominations, and it is always hard to pick the winner. This year we received the highest number of nominations ever received for the Malcolm Tredinnick Memorial Price with some being nominated twice, three times, and the highest being six times. Some people have been nominated in multiple years, so if your nominee didn’t make it this year, you can always nominate them again next year.

Malcolm would be very proud of the legacy he has fostered in our community!

Congratulations Ken on the well-deserved honor!

From The Django weblog at 2020-12-10 22:09:06

2021 DSF Board Election Results

Here are the results of this year's election in order of most votes:

  1. Anna Makarudze
  2. William Vincent
  3. Kátia Nakamura
  4. Aaron Bassett
  5. Žan Anderle
  6. Chaim Kirby
  7. Mfon Eti-mfon

Congratulations to our winners and a big thank you for our Board members who are leaving James Bennett and Sayantika Banik.

We'll be finishing up the 2020 Board business, ratifying the election and passing the torch to the 2021 Board at our meeting next week.

Also a special thank you to the large number of candidates we had this year. The DSF simply isn't possible without the help of all of our volunteers.

From The Django weblog at 2020-12-01 06:04:38

Django bugfix release: 3.1.4

Today we've issued the 3.1.4 bugfix release.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Mariusz Felisiak: 2EF56372BA48CD1B.

From The Django weblog at 2020-11-18 04:35:20

2021 DSF Board Nominations

It is that time again to begin to elect next year’s Django Software Foundation’s Board of Directors!

As you know, the Board guides the direction of the marketing, governance and outreach activities of the Django community. We provide funding, resources, and guidance to Django events on a global level. Further we provide support to the Django community with an established Code of Conduct and make decisions and enforcement recommendations for violations. We work closely with our corporate and individual members to raise funds to help support our great community.

In order for our community to continue to grow and advance the Django Web framework, we need your help. The Board of Directors consists of volunteers who are elected to one year terms. This is an excellent opportunity to help advance Django. We can’t do it without volunteers, such as yourself. For the most part, the time commitment is a few hours per month. Anyone including current Board members, DSF Members, or the public at large can apply to the Board. It is open to all who wish to participate.

If you are interested in helping to support the development of Django we’d enjoy receiving your application for the Board of Directors. Please fill out the application form by November 30th, 2020 AoE to be considered. Once we have our candidates we will open a week long voting period.

If you have any questions about applying, the work, or the process in general please don’t hesitate to reach out via email to foundation@djangoproject.com and one of us will get back with you shortly.

Thank you for your time and we look forward to working with you in 2021.

The 2020 DSF Board of Directors

Application Form.

From The Django weblog at 2020-11-12 14:39:15

Nominations for 2020 Malcolm Tredinnick Memorial Prize

Hello Everyone!

It is that time of year again when we recognize someone from our community in memory of our friend Malcolm.

Malcolm was an early core contributor to Django and had both a huge influence and impact on Django as we know it today. Besides being knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him to this day.

The DSF Prize page summarizes the prize nicely:

The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps.

We will take nominations until Friday, November 26th AoE and will announce the winner soon after the next DSF Board meeting in December.

Please make your nominations using this google form.

If you have any questions please reach out to the DSF Board at foundation@djangoproject.com.

From The Django weblog at 2020-11-02 08:15:36

Django bugfix releases issued: 3.1.3, 3.0.11, and 2.2.17

Today we've issued 3.1.3, 3.0.11, and 2.2.17 bugfix releases.

The release package and checksums are available from our downloads page, as well as from the Python Package Index. The PGP key ID used for this release is Carlton Gibson: E17DF5C82B4F9D00.