The latest version of Tastypie includes a number of important security fixes and all users are strongly encouraged to upgrade.
Please note that the fixes might cause backwards incompatibility issues, so please check the upgrade notes carefully.
Security hardening improvements¶
XML decoding has been wrapped in the defusedxml library
XML requests may no longer include DTDs by default
Deserialization will return HTTP 400 for any XML decode errors
Don’t even use XML and want to disable it? There’s a simple TASTYPIE_DEFAULT_FORMATS setting setting to globally restrict the set of supported formats (closes #833):
Content negotiation will return an error for malformed accept headers (closes #832)
The Api class itself now allows a custom serializer (closes #817)
The serialization documentation has been upgraded with security advice:
- If you use XML serialization (enabled by default):
- defusedxml is now required
- defusedxml requires lxml 3 or later
pip install defusedxml "lxml>=3"
Python 2.5 is no longer officially supported because defusedxml requires Python 2.6 or later. If you cannot upgrade to a newer version of Python please consider disabling XML support entirely.