v0.9.13 ======= *SECURITY HARDENING* The latest version of Tastypie includes a number of important security fixes and all users are strongly encouraged to upgrade. Please note that the fixes might cause backwards incompatibility issues, so please check the upgrade notes carefully. Security hardening improvements ------------------------------- * XML decoding has been wrapped in the defusedxml library * XML requests may no longer include DTDs by default * Deserialization will return HTTP 400 for any XML decode errors * Don't even use XML and want to disable it? There's a simple :ref:`TASTYPIE_DEFAULT_FORMATS setting ` setting to globally restrict the set of supported formats (closes `#833 `_): http://django-tastypie.readthedocs.org/en/v0.9.14/settings.html#tastypie-default-formats * Content negotiation will return an error for malformed accept headers (closes `#832 `_) * The Api class itself now allows a custom serializer (closes `#817 `_) * The serialization documentation has been upgraded with security advice: http://django-tastypie.readthedocs.org/en/v0.9.14/serialization.html#serialization-security Upgrade notes: * If you use XML serialization (enabled by default): - defusedxml is now required - defusedxml requires lxml 3 or later ``pip install defusedxml "lxml>=3"`` * Python 2.5 is no longer officially supported because defusedxml requires Python 2.6 or later. If you cannot upgrade to a newer version of Python please consider disabling XML support entirely.