

Django 1.8.2 security release patches unusually dangerous bug – update ASAP - GlennCSmith
https://www.djangoproject.com/weblog/2015/may/20/security-release/

======
GlennCSmith
This is an unusually dangerous security bug. Definitely agree with the Django
team that all users of Django 1.8 should upgrade as soon as possible.

------
codygman
Adding to my list of security vulnerabilities that static typing would have
prevented.

~~~
jtokoph
Isn't an empty string still a string?

~~~
codygman
Right, the issue here is just using null or "". You could use an Optional or
Maybe type here. Even better you could define:

    
    
        data SessionKey = ValidSessionKey | InvalidSessionKey
    

Then the developer making the modification code would have been much less
likely to type "InvalidSessionKey" whereas the None/"" behavior is just an
idiom. The problem here is that the domain knowledge of: "" is a valid session

wasn't communicated by the code.

------
omouse
still stuck on Django 1.6.x; also stuck with Python 2.7.x; fear is the order
of the day when it comes to upgrades.

