Django 1.4.2 release notes

    This is the second security release in the Django 1.4 series.

    Django’s own built-in parsing of the Host header is, however, still vulnerable, as was reported to us recently. The Host header parsing in Django 1.3.3 and Django 1.4.1 — specifically, — was incorrectly handling username/password information in the header. Thus, for example, the following Host header would be accepted by Django when running on “validsite.com”:

    To remedy this, the parsing in HttpRequest.get_host() is being modified; Host headers which contain potentially dangerous content (such as username/password pairs) now raise the exception .

    • Subclass HTMLParser only for appropriate Python versions (#18239).
    • Added batch_size argument to qs.bulk_create() (#17788).
    • Fixed a small regression in the admin filters where wrongly formatted dates passed as url parameters caused an unhandled ValidationError (#18530).
    • Fixed some Python 2.5 compatibility issues
    • Fixed an issue with quoted filenames in Content-Disposition header (#19006)
    • Made the context option in and blocktrans tags accept literals wrapped in single quotes (#18881).