Django 1.9.5 release notes

April 1, 2016

Django 1.9.5 fixes several bugs in 1.9.4.

Bugfixes

  • Made MultiPartParser ignore filenames that normalize to an empty string to fix crash in MemoryFileUploadHandler on specially crafted user input (#26325).
  • Fixed a race condition in BaseCache.get_or_set() (#26332). It now returns the default value instead of False if there’s an error when trying to add the value to the cache.
  • Fixed data loss on SQLite where DurationField values with fractional seconds could be saved as None (#26324).
  • The forms in contrib.auth no longer strip trailing and leading whitespace from the password fields (#26334). The change requires users who set their password to something with such whitespace after a site updated to Django 1.9 to reset their password. It provides backwards-compatibility for earlier versions of Django.
  • Fixed a memory leak in the cached template loader (#26306).
  • Fixed a regression that caused collectstatic --clear to fail if the storage doesn’t implement path() (#26297).
  • Fixed a crash when using a reverse lookup with a subquery when a ForeignKey has a to_field set to something other than the primary key (#26373).
  • Fixed a regression in CommonMiddleware that caused spurious warnings in logs on requests missing a trailing slash (#26293).
  • Restored the functionality of the admin’s raw_id_fields in list_editable (#26387).
  • Fixed a regression with abstract model inheritance and explicit parent links (#26413).
  • Fixed a migrations crash on SQLite when renaming the primary key of a model containing a ForeignKey to 'self' (#26384).
  • Fixed JSONField inadvertently escaping its contents when displaying values after failed form validation (#25532).