This release is primarily a security release. The two issues fixed have been present but unknown for a long time & ALL users are recommended to upgrade where possible.
Tastypie previously would accept a relation URI & solely parse out the identifiers, ignoring if the URI was for the right resource. Where
'user': '/api/v1/users/1/',would be accepted as a
UserURI, you could accidentally/intentionally pass something like
'user': '/api/v1/notes/1/',(notes rather than users), which would assign it to the
pk=1. Tastypie would resolve the URI, but proceed to only care about the
kwargs, not validating it was for the correct resource.
Tastypie now checks to ensure the resolving resource has a matching URI, so these cases of mistaken identity can no longer happen (& with quicker lookups). Thanks to Sergey Orshanskiy for the report!
Fixed in SHA: 6da76c6
In some browsers (specifically Firefox), it was possible to construct a URL that would include an XSS attack (specifically around the
offset/limitpagination parameters). Firefox seems to evaluate the JSON returned, completing the attack. Safari & Chrome do not appear to be affected.
Tastypie now escapes all error messages that could be returned to the user to prevent this kind of attack in the future. Thanks to Micah Hausler for the report!
Fixed in SHA: ae515bd
Should you find a security issue in Tastypie, please report it to firstname.lastname@example.org. Please DO NOT open GitHub issues or post the issues on the main Tastypie mailing list. Thanks!
Removed a mutable argument to
Serializer.serialize. (SHA: fb7326d)
tastypie.contrib.gis. (SHA: 1958df0)
Enabled testing on Travis for Python 3.4. (SHA: 6596935)
- Fixed indentation in v0.9.16 release notes. (SHA: dd3725c)
- Updated the v0.10.0 release notes. (SHA: e4c2455)
- Fixed a Cookbook example to import
jsoncorrectly. (SHA: bc7eb42)
- Updated the non-ORM docs to match Resource. (SHA: da6a629)
- Fixed grammar in Authorization docs. (SHA: 765ebf3)
- Fixed a typo in Authorization docs. (SHA: 4818f08)
- Updated the Cookbook to move an alternative approach to the correct place. (SHA: 803d679)
- Updated the tutorial to import
slugifyfrom a more modern location. (SHA: 86bb5d9)
- Fixed up inheritence in the Tools docs. (SHA: a1a2e64 & SHA: 12aa298)
- Added a section about
httpieto the Tools docs. (SHA: 5e49436)
- Corrected the URL for
biplist. (SHA: 859ce97)
- Added Postman to the list of Tools. (SHA: b9f0dec)
- Fixed a typo on the docs index. (SHA: 17e5a91)
- Fixed incorrect apostrophes. (SHA: 635729c)
- Fixed a typo in the Resources docs. (SHA: d789eea)