3.1.1 / 3.0.14 Release
This is the first minor release since the release of django CMS 3.1 but it contains some great improvements (like Django 1.8 support) as well as an important fix for a CSRF vulnerability. Upgrading to this or the companion 3.0.14 release are strongly recommended for all users of the CMS.
Here's a summary of the respective release notes:
Changes Common to 3.1.1 and 3.0.14
Security Vulnerability Fix
- Fixed an issue where privileged users could be tricked into performing certain actions without their knowledge via a CSRF vulnerability.
Bug Fixes
- Fix issue which causes menu classes to be duplicated in advanced settings
- Fix issue with breadcrumbs not showing
- Fix issues with show_menu templatetags
- Minor documentation fixes
- Fix an issue related to "Empty all" Placeholder feature
- Fix plugin sorting in py3
- Fix search results number and items alignment in page changelist
- Preserve information regarding the current view when applying the CMS decorator
- Change the label "Save and close" to "Save as draft"
- Fix X-Frame-Options on top-level pages
- Fix order of which application urls are injected into urlpatterns
- Fix delete non existing page language
- Fix language fallback for nested plugins
- Fix render_model template tag doesn't show correct change list
- Fix scanning for placeholders fails on include tags with a variable as an argument
- Pin South version to 1.0.2
- Pin Html5lib version to 0.999 until a current bug is fixed
- Fix language chooser template
What's New Exclusively to 3.1.1
Features / Additions
- Add Django 1.8 support
- Tutorial updates and improvements
- Add copy_site command
- Add setting to disable toolbar for anonymous users
- Add setting to hide toolbar when a URL is not handled by django CMS
- Add editorconfig configuration
Bug Fixes
All of the bug fixes mentioned in the common set of fixes above plus these, 3.1-specific fixes:
- Fix an error in placeholder cache
- Fix get_language_from_request if POST and GET exists
- Revert whitespace cleanup on flash player to fix it
- Correctly restore previous status of dragbars
- Fix language-related issues when retrieving page URL
- Fix errors with toolbar population
- Fix error with watch_models type
- Fix error with plugin breadcrumbs order
- Fix handling of plugin position attribute
- Fix for some structureboard issues
- Make shift tab work correctly in submenu
What's New Exclusively to 3.0.14
Bug Fixes
All of the bug fixes mentioned in the common set of fixes above plus these, 3.0-specific fixes:
- Fix an issue related to "Empty all" Placeholder feature
Full release notes:
- 3.1.1: https://django-cms.readthedocs.org/en/develop/upgrade/3.1.1.html
- 3.0.14: https://django-cms.readthedocs.org/en/develop/upgrade/3.0.14.html
Extra Special Thanks
We'd like to also acknowledge the work of Python experts, Security Researchers and all around good folks: Sylvain Fankhauser of L//P and Matthew Wilkes of The Code Distillery, who discovered and privately demonstrated to the django CMS core developers an important CSRF vulnerability and contacted us through the documented channels.
If you should discover any security issues with django CMS, please let us know at [email protected].
blog comments powered by Disqus