mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity
34,015 Commits 30 Branches 463 Tags
main
Commit Graph

5169 Commits

Author SHA1 Message Date
Natalia
c5a107e824 Added CVE-2025-64458 and CVE-2025-64459 to security archive. 2025-11-05 11:17:12 -03:00
Natalia
6e18c078d5 Added stub release notes for 5.2.9. 2025-11-05 11:12:30 -03:00
Jacob Walls
98e642c691 Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg. 
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
 2025-11-05 09:20:57 -03:00
Jacob Walls
c880530ddd Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. 
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.

Follow-up to CVE-2025-27556 and 39e2297210.
 2025-11-05 09:20:57 -03:00
Hal Blackburn
74564946c3 Fixed #36704 -- Fixed system check error for proxy model with a composite pk. 
Proxy models subclassing a model with a CompositePrimaryKey were
incorrectly reporting check errors because the check that requires only
local fields to be used in a composite pk was evaluated against the proxy
subclass, which has no fields.

To fix this, composite pk field checks are not evaluated against
proxy subclasses, as none of the checks are applicable to proxy
subclasses. This also has the benefit of not double-reporting real check
errors from an invalid superclass pk.

Thanks Clifford Gama for the review.
 2025-11-04 11:59:21 -05:00
Mariusz Felisiak
05ba1a9228 Fixed #36661 -- Added introspection of database-level delete options. 2025-10-31 14:33:27 +01:00
Clifford Gama
348ca84538 Refs #35381 -- Deprecated using None in JSONExact rhs to mean JSON null. 
Key and index lookups are exempt from the deprecation.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
 2025-10-29 15:00:52 -04:00
Clifford Gama
be7f68422d Refs #35381 -- Delegated ArrayField element prepping to base_field.get_db_prep_save. 
Previously, ArrayField always used base_field.get_db_prep_value when saving,
which could differ from how base_field prepares data for save. This change
overrides ArrayField.get_db_prep_save to delegate to the base_field's
get_db_prep_save, ensuring elements like None in JSONField arrays are saved
correctly as SQL NULL instead of JSON null.
 2025-10-29 15:00:52 -04:00
Clifford Gama
adc25a9a66 Fixed #35381 -- Added JSONNull() expression. 
Thanks Jacob Walls for the review.
 2025-10-29 15:00:52 -04:00
Jacob Walls
ab108bf94d Added stub release notes and release date for 5.2.8, 5.1.14, and 4.2.26. 2025-10-29 14:57:45 -03:00
Mariusz Felisiak
c87daabbf3 Fixed #36624 -- Dropped support for MySQL < 8.4. 2025-10-27 15:05:23 +01:00
Natalia
42d6e20feb Made cosmetic edits to docs/releases/6.0.txt. 2025-10-22 15:37:52 -03:00
Mariusz Felisiak
ca3e0484ef Refs #36005 -- Bumped minimum supported versions of docutils to 0.22. 2025-10-19 20:13:16 +02:00
Mariusz Felisiak
d506e4a528 Fixed #36671 -- Dropped support for SQLite < 3.37. 2025-10-18 21:04:11 +02:00
Mariusz Felisiak
0c487aa3a7 Fixed #21961 -- Added support for database-level delete options for ForeignKey. 
Thanks Simon Charette for pair programming.

Co-authored-by: Nick Stefan <NickStefan12@gmail.com>
Co-authored-by: Akash Kumar Sen <71623442+Akash-Kumar-Sen@users.noreply.github.com>
Co-authored-by: Simon Charette <charette.s@gmail.com>
 2025-10-18 15:03:50 +02:00
Mariusz Felisiak
56977b466c Refs #35844 -- Doc'd Python 3.14 compatibility. 2025-10-17 19:25:02 +02:00
Adam Johnson
e097e8a12f Fixed #28586 -- Added model field fetch modes. 
May your database queries be much reduced with minimal effort.

co-authored-by: Andreas Pelme <andreas@pelme.se>
co-authored-by: Simon Charette <charette.s@gmail.com>
co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
 2025-10-16 14:52:22 -04:00
Jacob Walls
02eed4f378 Fixed #36648, Refs #33772 -- Accounted for composite pks in first()/last() when aggregating. 2025-10-14 15:48:29 -04:00
Sarah Boyce
5b51e6f759 Fixed #36611, Refs #36580 -- Added system check for multicolumn ForeignObject in Meta.indexes/constraints/unique_together. 
ForeignObjects with multiple `from_fields` are not supported in these
options.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2025-10-13 14:53:39 -03:00
Simon Charette
315dbe675d Fixed #36646 -- Added compatibility for oracledb 3.4.0. 
The Database.Binary, Date, and Timestamp attributes were changed from
aliases to bytes, datetime.date, and datetime.datetime to factory
functions in oracle/python-oracledb@869a887819
which made their usage inadequate for isinstance checks.

Thanks John Wagenleitner for the report and Natalia for the triage.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2025-10-11 17:15:28 +02:00
Mariusz Felisiak
5bd775703c Fixed #36623 -- Dropped support for PostgreSQL 14 and PostGIS 3.1. 2025-10-03 17:12:57 -04:00
Mariusz Felisiak
1499c95d99 Rewrapped security archive at 79 chars. 2025-10-01 16:24:00 -04:00
Jacob Walls
43d84aef04 Added CVE-2025-59681 and CVE-2025-59682 to security archive. 2025-10-01 10:39:02 -04:00
Jacob Walls
1324d9037e Added stub release notes for 5.2.8. 2025-10-01 10:30:45 -04:00
Sarah Boyce
924a0c092e Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract(). 
Thanks stackered for the report.

Follow up to 05413afa8c.
 2025-10-01 08:12:07 -04:00
Mariusz Felisiak
41b43c74bd Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f.
 2025-10-01 08:11:45 -04:00
Jacob Walls
6c82b0bc91 Made cosmetic edits to 5.2.7 release notes. 2025-09-30 16:31:01 -04:00
Adam Johnson
8b241f84e2 Fixed #36614 -- Deprecated QuerySet.values_list(flat=True) without a field. 
Thanks to Jacob Walls and Simon Charette for their input.

co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2025-09-30 08:46:28 +02:00
John Parton
1820d35b17 Fixed #36605 -- Added support for QuerySet.in_bulk() after .values() or .values_list(). 
co-authored-by: Adam Johnson <me@adamj.eu>
co-authored-by: Simon Charette <charette.s@gmail.com>
 2025-09-25 08:51:43 -04:00
Mariusz Felisiak
00174507f8 Added stub release notes and release date for 5.2.7, 5.1.13, and 4.2.25. 2025-09-24 11:39:07 -04:00
Adam Johnson
f2e0219867 Refs #36163 -- Removed currentmodule directive from 6.0 release notes. 2025-09-24 13:06:00 +02:00
Adam Johnson
2e870c6071 Refs #36163 -- Removed duplicated release note paragraph. 2025-09-24 13:06:00 +02:00
Tim Graham
1acb00b26d Fixed #36616 -- Added DatabaseOperations.adapt_durationfield_value(). 2025-09-23 18:36:49 +02:00
Jean Patrick Prenis
9af8225117 Fixed #36609 -- Added Haitian Creole (ht) language. 
Thanks Rebecca Conley for the review.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2025-09-23 08:04:13 +02:00
David Smith
e20e189045 Refs #33783 -- Added IsEmpty GIS database function and __isempty lookup on SpatiaLite. 2025-09-22 22:04:42 -04:00
Adam Johnson
74a9c2711c Refs #28586 -- Split descriptor from GenericForeignKey. 
This makes GenericForeignKey more similar to other fields which act as
descriptors, preparing it to add “fetcher protocol” support in a clear and
consistent way.
 2025-09-18 19:44:16 -04:00
Natalia
4840ab0965 Updated translations from Transifex. 
Forwardport of 2a2936c3e6 from stable/5.2.x.
 2025-09-18 09:53:05 -03:00
Jacob Walls
b83204a06e Increased the default PBKDF2 iterations for Django 6.1. 2025-09-17 15:17:05 -03:00
Jacob Walls
0655d958bd Refs #36390 -- Removed support for RemoteUserMiddleware subclasses missing aprocess_request(). 
Per deprecation timeline.
 2025-09-17 15:17:05 -03:00
Jacob Walls
7d7e5cd055 Refs #35444 -- Removed contrib.postgres aggregates ordering kwarg per deprecation timeline. 2025-09-17 15:17:05 -03:00
Jacob Walls
32e266dc5b Refs #35530 -- Removed request.user or auser() fallback in auth.login and auth.alogin. 
Per deprecation timeline.
 2025-09-17 15:17:05 -03:00
Jacob Walls
a146fe2930 Refs #22712 -- Removed all parameter from django.contrib.staticfiles.finders.find(). 
Per deprecation timeline.
 2025-09-17 15:17:05 -03:00
Jacob Walls
1db79d8acf Added stub release notes for 6.1. 2025-09-17 15:17:05 -03:00
Natalia
154aa62e6f Made cosmetic edits to docs/releases/6.0.txt. 2025-09-17 14:20:40 -03:00
Natalia
eae8cc4201 Removed empty sections from 6.0 release notes. 2025-09-17 14:20:40 -03:00
antoliny0919
1e7728888d Fixed #36601 -- Fixed color contrast of FilteredSelectMultiple widget chosen labels in TabularInlines. 
Regression in a0f50c2a48.
 2025-09-17 09:56:01 +02:00
Jake Howard
4289966d1b Fixed #35859 -- Added background Tasks framework interface. 
This work implements what was defined in DEP 14
(https://github.com/django/deps/blob/main/accepted/0014-background-workers.rst).

Thanks to Raphael Gaschignard, Eric Holscher, Ran Benita, Sarah Boyce,
Jacob Walls, and Natalia Bidart for the reviews.
 2025-09-16 17:28:32 -03:00
GappleBee
218f69f05e Fixed #28041 -- Added Lexeme expression to contrib.postgres.search. 
This expression automatically escapes its input and allows
fine-grained control over prefix matching and term weighting
via logical combinations.

Thanks Mariusz Felisiak, Adam Zapletal, Paolo Melchiorre,
Jacob Walls, Adam Johnson, and Simon Charette for reviews.

Co-authored-by: joetsoi <joetsoi@users.noreply.github.com>
Co-authored-by: Karl Hobley <karl@kaed.uk>
Co-authored-by: Alexandr Tatarinov <tatarinov1997@gmail.com>
 2025-09-16 15:09:11 -04:00
Simon Charette
94680437a4 Fixed #27222 -- Refreshed model field values assigned expressions on save(). 
Removed the can_return_columns_from_insert skip gates on existing
field_defaults tests to confirm the expected number of queries are
performed and that returning field overrides are respected.
 2025-09-14 00:27:50 +02:00
Simon Charette
55a0073b3b Refs #27222 -- Refreshed GeneratedFields values on save() initiated update. 
This required implementing UPDATE RETURNING machinery that heavily
borrows from the INSERT one.
 2025-09-14 00:27:49 +02:00