Django

It seemed only fitting to give the scoop to the Lawrence Journal-World: Django, started nearly five years ago by programmers affiliated with The World Company, now joins a lineup of pervasive computer languages and systems — ... [More] including Mozilla, Apache and Linux — to be overseen by a nonprofit organization. We're still breaking this baby in, so we're a little light on details for now. You can read a bit about our goals now, and as you can imagine we'll be talking a lot about this in the days and weeks to come. Suffice to say that we're amazingly excited about the opportunities this next step brings. When we started thinking about releasing Django (three years ago!) we never expected this level of success. We certainly couldn't have gotten here without the amazing support and contributions from our community of users and developers. To everyone who's used or contributed to Django: thanks! [Less]

In accordance with our security policy, a set of releases is being issued tonight to fix a security vulnerability reported to the Django project. This entry contains a description of the vulnerability, a description of the changes made to fix it ... [More] , pointers to the the relevant patches for each supported version of Django and pointers to the resulting releases. A copy of this information will also be posted to the django-users and django-developers mailing lists. The Django website is being updated to reflect the new releases. Description of vulnerability The Django administration application will, when accessed by a user who is not sufficiently authenticated, display a login form and ask the user to provide the necessary credentials before displaying the requested page. This form will be submitted to the URL the user attempted to access, by supplying the current request path as the value of the form's "action" attribute. The value of the request path was not being escaped, creating an opportunity for a cross-site scripting (XSS) attack by leading a user to a URL which contained URL-encoded HTML and/or JavaScript in the request path. Affected versions Django development trunk Django 0.96 Django 0.95 Django 0.91 Resolution The login form has been changed to escape the request path before use as the form's submission action. The relevant changesets for affected versions of Django are: Django development trunk: Changeset 7521 Django 0.96: Changeset 7527 Django 0.95: Changeset 7528 Django 0.91: Changeset 7529 The following releases have been issued based on the above changesets: Django 0.96.2 Django 0.95.3 Django 0.91.2 All users of affected versions of Django are strongly encouraged to apply the relevant patch or upgrade to the relevant patched release as soon as possible. Release manager's note If you maintain a third-party Django package and you did not receive the announcement of these releases earlier tonight, please email James Bennett ([email protected]) as soon as possible. Also, please note that potential security vulnerabilities should be reported directly to the Django project, at [email protected], as outlined in our security policy. Following this procedure helps us to maintain high standards of response and disclosure, and makes the process of investigating and resolving security issues much easier for everyone involved. [Less]

Spring has returned to the northern hemisphere, and everything's coming up Django. Here's a rundown of what's going on in the wide world of Django: PyCon 2008 (March 14-16, with sprints the following week) in Chicago had a healthy Django ... [More] contingent; the official "Birds of a Feather" session was packed, as were the two Django tutorials held the day before the conference and the four Django-related talks during the main conference session: Adrian Holovaty's "State of Django" talk covered the past year's progress in Django development, some of the upcoming features to be found in two development branches of Django (queryset-refactor and newforms-admin, which will be refactoring and incresing the power and flexibility of the Django object-relational mapper and admin interface, respectively), and also announced a new, nonprofit organization dedicated to Django: the Django Software Foundation. The paperwork is still pending, but once it's up and running the DSF will be a major resource for the community, helping to promote and organize the development of Django. Marty Alchin's "Django Under the Hood" (slides are online) took a peek at some of Django's internals, and covered useful tricks and techniques any developer of a Django-based application can benefit from. Steven Wilcox's talk on the Django admin (full text is online) included a tutorial on newforms-admin, showing how Django's admin application will work once that branch is completed, and hinting at some of the added functionality you'll be able to access when it lands. James Bennett covered best practices for developing reusable Django applications (slides online), culling tips and patterns from two years of full-time Django work at World Online. Slides from the two three-hour Django tutorial sessions are also available: Jacob Kaplan Moss' Introduction to Django provides a fast-paced intro for developers who are new to Django. The Django Code Lab, chaired by Jacob, Adrian and James, provided an opportunity for developers to submit code and questions, and get advice and critiques from three seasond Django developers. After the conference proper, the week-long sprint session yielded a lot of development activity; though there was plenty of code checked in during the sprint, the big win at a conference like PyCon is the ability to get developers together in a room to talk about features and hold design discussions that might otherwise involves weeks of back-and-forth posts on the developers' mailing list. Some highlights of the sprint were discussions for newforms-admin and for model-level validation to complement and improve the validation Django's form library offers for web-based input. In addition to the fun of PyCon, there's been a flurry of interesting Django-related activity in the past few months: One of Django's lead developers, Jacob Kaplan-Moss, has moved on to a new job where he's getting paid to work on Django. Most recently, he's been leading an effort to migrate Django's documentation onto the Sphinx documentation engine, the same system that powers Python's own development documentation. Simon Willison launched Django People, a network of Django users, developers and fans around the world. At the moment, there are almost two thousand people listed. Ryan Berg launched Djangofriendly, a site which lists Django-friendly web-hosting services and lets users rate and review their hosts. Revyver launched Django Pluggables, a catalog of publicly-available Django applications which, in its own words, does the work of tracking all those applications so you won't have to. They've got over a hundred applications catalogued already, and more are popping up all the time. And, of course, Google announced App Engine, a massively-scalable application hosting service which debuted with support for developing and hosting Python applications on Google's distributed infrastructure, taking advantage of the same BigTable database engine that powers Google's own web services. And Django is available right out of the box. Meanwhile, Michael Trier has revived the tradition of weekly Django roundups, and launched This Week in Django, a podcast which has regular interviews with interesting folks from the community, useful tips for application developers and weekly summaries of Django development activity. And if you prefer your Django in dead-tree format, there are two books already on the shelves: Teach Yourself Django in 24 Hours, from Sams. The Definitive Guide to Django, from Apress, and written by Django's lead developers. It's also available online, for free. And two more have been announced: Practical Django Projects from Apress. Python Web Development with Django from Prentice Hall. Both are scheduled to be published this summer. Also this summer, O'Reilly will be holding OSCON 2008 in Portland, Oregon; as always, expect to see a contingent of Django developers and users hanging out, meeting up and talking Django. In the meantime, Django development will keep on rolling; if you'd like to help out, check out the documentation on contributing, hop onto the django-developers mailing list or the development IRC channel, and join the fun. [Less]

Ah, Spring... that wonderful time of year when flowers bloom, birds and bees provide useful euphemisms for tongue-tied parents, and Python hackers everywhere converge for the annual Python Conference That's right: PyCon 2008 is ... [More] only two short months away! This year's conference will be held in Chicago, and features a fantastic line-up of talks about everything Python. PyCon really is a wonderful conference, and early-bird registration is only $225 ($125 for students). I can't recommend the conference highly enough. Of course, Django will be very well represented at PyCon, with activities for Djangonauts of all skill levels: I'll be teaching a Beginning Django tutorial aimed at folks just getting started with Django. In past years this tutorial has filled up rapidly, so if you'd like to attend I recommend signing up soon. Also on the tutorial day will be a Django "Code Lab" designed for people with some Django projects already under their belts. We've got a great panel of experts lined up to critique and improve your code: Adrian Holovaty, James Bennett, and yours truly. [I should point out by way of disclaimer that I get a bit of money for teaching the tutorials. I'd promote them here anyway, of course, but I mention the compensation by way of full disclosure.] The conference proper will feature a number of Django sessions: Developing reusable Django applications (James Bennett) Django: Under the Hood (Marty Alchin) The Power of Django Admin (Even For Non-Django Projects) (Steven C. Wilcox) Adrian will also deliver a "State of the Django" talk to discuss where the project is, and where it's going. Finally, after all the talks end, we'll hold a four-day development sprint. Anyone interested in working on Django is encouraged to attend, and note that the sprints at PyCon are open to anyone, not just PyCon attendees. So, if you're in Chicago feel free to stop on by! I hope to see a bunch of Djangonauts at the conference. I've been to PyCon for the last few years, and it's always been fantastic. I can see from the line-up of talks that this year will be no exception. Remember to register before Feb. 20th to take advantage of the early-bird rates! [Less]

The folks at Media Temple, who are kind enough to donate hosting for this djangoproject.com site, have launched a beta version of Django support in their "Grid-Service." They're looking to get beta feedback before doing a full release and are giving ... [More] away free copies of the Django Book to the top 25 forum contributors who have a live Django application running on the service. Here's where you sign up to help with beta feedback -- the only prerequisite is that you have a Grid-Service account. [Less]

The Django Book started shipping last week, and we've put the full text online for free. We put a draft of the book up about a year ago for comments, and were amazed by the quality (and quantity!) of responses. We read each of the comments ... [More] (around 2500) as we revised the book towards a final print release. That print release has been available in stores for about a week, and we've put the text up for you to read for free. As with the draft, we're soliciting comments which we'll use as we continue to revise the online text. We're also collecting errata from the print edition if you notice mistakes there. We're immensely grateful to everyone who helped make this book happen. Thanks also to Media Temple: we're now hosting the book site on machine they donated to the project a few months ago. Thanks, guys -- you rock! PS: If you're not seeing the new book, it's probably because the DNS change hasn't propagated yet. Try new.djangobook.com in the meantime. [Less]

We had such a great time doing that last sprint, so we're doing it again! We'll hold the sprint Saturday, December 1st here in Lawrence, KS, and virtually around the world. We'll run things much the same as we did last time around. We plan to ... [More] devote at least 24 hours of focused work to get some of this done in an organized fashion, and also to encourage new people to contribute. If all goes well on Saturday, we'll probably continue to Sunday. Anybody can participate and contribute, and there's no obligation or expectation. If you've never contributed to Django before, this is the perfect chance for you to chip in. More information is available on the wiki. Most participants will likely be working from their own homes/offices in their respective countries, but if you'd like to come hang out with us in Lawrence, email jacob -at- jacobian -dot- org. We can provide transportation to/from the Kansas City airport (MCI) and can recommend a good hotel in town. Also, a limited amount of free lodging (i.e. our couches) is available. All participants -- not just those meeting in person -- should feel free to add their names to the wiki page. [Less]

Today we're releasing a fix for a security vulnerability discovered in Django's internationalization framework. The complete details are below, but the executive summary is that you should updated to a fixed version of Django immediately. We are ... [More] releasing point-releases of all affected Django versions. You can download them at http://www.djangoproject.com/download/. Those tracking trunk development should "svn update" as soon as possible. Please direct any questions about this release to django-users (http://groups.google.com/group/django-users). Description of vulnerability A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory. Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update. Affected versions Django trunk prior to revision [6608]. Django 0.96 Django 0.95 (including 0.95.1) Django 0.91 Resolution New versions of Django containing this fix have been released today which alter this caching mechanism to store shortened, normalized values and to reject improperly formatted headers. These versions are called: Django 0.96.1 (replaces Django 0.96) Django 0.95.2 (replaces Django 0.95.1) Django 0.91.1 (replaces Django 0.91.1) Anyone using a stable Django release should upgrade to one of these point releases immediately. These fixed versions have already been provided to maintainers of Django packages for various OS distributions and should be released shortly. Anyone tracking Django's trunk development should use Subversion to update to at least revision [6608]. Additionally, these fixes have been committed to the various "bugfixes" branches: http://code.djangoproject.com/svn/django/branches/0.91-bugfixes/ http://code.djangoproject.com/svn/django/branches/0.95-bugfixes/ http://code.djangoproject.com/svn/django/branches/0.96-bugfixes/ Anyone running custom versions of Django should download and apply the patches directly. These patches are available at http://media.djangoproject.com/patches/2007-10-26-security-fix/. * This post originally failed to mention that the i18n middleware component must be enabled to trigger the bug. [Less]

After a short hiatus, the Django Roundups are back! Lets not waste any time and dive in: Django news: The Django Sprint that took place last month looks as if it went off without a hitch. Adrian Holovaty documented on the Google Code Blog ... [More] the tremendous level of activity that took place over the course of a single weekend: “The sprint was intensely productive, with more than 400 tickets closed in the Django issue-tracking system, 300 new patches/ticket attachments and more than 200 commits to the Django code base. All told, there were more than 2,440 changes, including wiki changes, ticket changes, patch uploads and code check-ins.” Simon Willison has published another set of slides in his Advanced Django series. This version is nearly identical to the previous with a new section on newforms. Siddhi Govindaraj has created a second Django tutorial in screencast format. Siddhi’s second video expands on the wiki application from his first video by adding wikkiwords and search capabilities. Projects of note: Django Gigs has launched and serves as a single place to find work as a Django developer, and for employers to find highly-qualified programmers who are proficient with Django. James Bennett has updated his excellent django-registration application to version 0.3. This update adds a more customizable email subject line, configurable form classes, configurable templates, a maintenance script to clean out expired user accounts, expanded documentation, unicode updates, and locale support. Django on Jython work has continued over the past month or so with additional strides made toward total compatibility. Leonardo Soto Muñoz provides a roundup of advancements as of September 13, 2007. Frank Wierzbicki, lead developer of Jython, is also maintaining a document of the current gaps between Django and Jython. What The Form is an extension for Django’s newforms that allows a developer to design how the form will be displayed to the user. Meta attributes like fieldsets and columns can be defined by the developer within their models and can be nested as much as necessary. Björn Kempén has launched a Django-powered BitTorrent tracker he calls Geektorrent. Code snippets and tutorials: Ryan Kanno has produced a templatetag that formats decimal values of a certain range into image-based ” star-style ratings. Ryan’s tag deals with rounding, and can be configured to handle star values down to 0.25 of a star. James Bennett describes, in detail, several solid procedures for using your Django projects in standalone scripts and from the command line in general. Pedro Vale Lima shows how you can use your Django project’s MEDIA_URL value in your JavaScript files. James Bennett shows how you can set up Django to properly send email from your Joyent Connector. Peter Nixon shows how to authenticate Django against FreeRADIUS Streaming file uploads with Django New user groups and other miscellaneous news: Several new non-English language Django user groups have sprung up over the past month: Django Catalan Django Russian Django Greece The team at Rails Envy produced an entertaining and good-natured video aimed at Django last month. If you have any tips, project announcements, or generally interesting Django news, email me at clintecker [email protected]. [Less]

If you're reading this, then you're looking at the new home of djangoproject.com. Django's adoption has skyrocketed over the last six months or so, and with the added popularity has come increasing traffic to this site —€” we're doing close to ... [More] eight million hits each month, and growing. While the increased interest couldn't make us happier, it made the old, cranky server running the site incredibly upset. Over the past weeks we've been looking around for a new home, and I'm glad to say we found it: About a month ago, Media Temple generously offered to take up hosting our site. They've given us a screamingly fast dedicated server, free hosting, and wonderful support. Even better, this is only Media Temple's first step into the wonderful world of Django; they've got some very cool Django hosting plans coming in the near future. We're very excited about the things we'll be able to do with our new, more powerful server. In fact, we've already started: this weekend, Matt Croydon and Joe Heck set up the Django Buildbot which has already helped us catch a few nasty bugs. We're really looking forward to finding other areas in which our newfound power can help us develop Django faster and better. So, once again, a big thanks to Media Temple —€” and especially Chris Lea —€” for their support. Bonus points to anyone who gets the reference for the title... [Less]