1
0
mirror of https://github.com/django/django.git synced 2024-12-22 09:05:43 +00:00
Commit Graph

582 Commits

Author SHA1 Message Date
Mike Edmunds
322e49ba30 Fixed #36012 -- Made mailto punctuation percent-encoded in Urlizer.
Urlizer was not properly encoding email addresses containing punctuation
in generated mailto links. Per RFC 6068, fixed by percent encoding
(urllib.parse.quote) the local and domain address parts.
2024-12-17 10:18:48 +01:00
Sarah Boyce
49ff1042aa Fixed CVE-2024-53907 -- Mitigated potential DoS in strip_tags().
Thanks to jiangniao for the report, and Shai Berger and Natalia Bidart
for the reviews.
2024-12-04 13:43:13 +01:00
Sarah Boyce
320dd27412 Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
2024-09-03 09:22:32 -03:00
Claude Paroz
2c1f27d0d0 Dropped safeguards against very old versions of gettext.
gettext 0.19 was released in 2014.
2024-08-30 13:39:04 +02:00
Simon Charette
57307bbc7d Fixed #35666 -- Documented stacklevel usage and testing, and adjusted test suite accordingly.
Over the years we've had multiple instances of hit and misses when
emitting warnings: either setting the wrong stacklevel or not setting
it at all.

This work adds assertions for the existing warnings that were declaring
the correct stacklevel, but were lacking tests for it.
2024-08-28 11:44:05 -03:00
Adam Johnson
2b71b2c8dc
Refs #34609 -- Fixed deprecation warning stack level in format_html().
Co-authored-by: Simon Charette <charette.s@gmail.com>
2024-08-27 15:14:50 -03:00
nabil-rady
231c0d8593 Fixed #35668 -- Added mapping support to format_html_join. 2024-08-20 08:20:34 +02:00
Matthias Kestenholz
d84200e4eb Fixed #35648 -- Raised NotImplementedError in SafeString.__add__ for non-string RHS.
This change ensures SafeString addition operations handle non-string RHS
properly, allowing them to implement __radd__ for better compatibility.
2024-08-12 14:25:05 -03:00
Matthias Kestenholz
b5c048f5ec Refs #35648 -- Added test for addition between SafeString and str in utils_tests. 2024-08-12 14:25:05 -03:00
Mariusz Felisiak
5f1757142f Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06 08:50:08 +02:00
Sarah Boyce
ecf1f8fb90 Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
2024-08-06 08:50:08 +02:00
Adam Johnson
d666457453 Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thank you to Elias Myllymäki for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-07-09 09:21:19 -03:00
Baptiste Mispelon
62300b81cf Fixed #12978 -- Added support for RSS feed stylesheets. 2024-06-18 17:25:43 +02:00
Shai Berger
f6ad8c7676 Refs CVE-2024-27351 -- Forwardported release notes and tests.
Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-03-04 08:22:00 +01:00
David Smith
6ee37ada32 Fixed #30686 -- Used Python HTMLParser in utils.text.Truncator. 2024-02-07 09:46:25 +01:00
David Smith
70f39e46f8 Refs #30686 -- Fixed text truncation for negative or zero lengths. 2024-02-07 05:18:35 +01:00
David Smith
48a4693951 Refs #30686 -- Improved test coverage of Truncator. 2024-02-06 16:35:08 +01:00
Mariusz Felisiak
305757aec1
Applied Black's 2024 stable style.
https://github.com/psf/black/releases/tag/24.1.0
2024-01-26 12:45:07 +01:00
Tim Graham
ecd3071dac
Fixed #35097 -- Tested parse_datetime() with bare date.
Regression test for behavior change in
f35ab74752.
2024-01-09 14:08:03 -03:00
Mariusz Felisiak
0c5456ef37
Used enterClassContext() where appropriate. 2024-01-04 05:55:29 +01:00
Mariusz Felisiak
d88ec42bd0
Used addCleanup() in tests where appropriate. 2023-12-31 10:01:31 +01:00
Nick Pope
baf705f34a Refs #34986 -- Fixed some test assertions for PyPy.
These failures were due to minor inconsistencies or implementation
differences between CPython and PyPy.
2023-11-28 06:19:38 +01:00
Nick Pope
6089230d3e Refs #34986 -- Fixed mocking in utils_tests.test_http.HttpDateProcessingTests.test_parsing_rfc850.
Mocking in the `datetime` module can be tricky. In CPython the datetime
C module is used, but PyPy uses a pure Python implementation. This
caused issues with the prior approach to mocking `datetime.datetime`.

See https://docs.python.org/3/library/unittest.mock-examples.html#partial-mocking
2023-11-28 06:19:38 +01:00
Nick Pope
5e28cd3f2c
Fixed #34983 -- Deprecated django.utils.itercompat.is_iterable(). 2023-11-24 12:06:29 +01:00
Nick Pope
74afcee234 Refs #34899 -- Extracted Field.flatchoices to flatten_choices helper function.
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-23 13:44:23 -03:00
Nick Pope
07fa79ef2b Refs #31262 -- Added __eq__() and __getitem__() to BaseChoiceIterator.
This makes it easier to work with lazy iterators used for callables,
etc. when extracting items or comparing to lists, e.g. during testing.

Also added `BaseChoiceIterator.__iter__()` to make it clear that
subclasses must implement this and added `__all__` to the module.

Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>
2023-10-23 13:44:16 -03:00
Natalia
17b51094d7 Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
2023-10-04 09:22:26 -03:00
Mariusz Felisiak
3f41d6d629 Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-09-04 11:58:37 +02:00
Nick Pope
500e01073a
Fixed #31262 -- Added support for mappings on model fields and ChoiceField's choices. 2023-08-30 22:57:40 -03:00
sarahboyce
f6ed2c36dd Fixed #34787 -- Fixed autoreloader crash when run from installed script on Windows. 2023-08-28 12:57:14 +02:00
konsti
48a1929ca0
Removed unnecessary trailing commas in tests. 2023-08-22 12:42:57 +02:00
Mariusz Felisiak
4c85d94bc0
Fixed utils_tests.test_lazyobject.SimpleLazyObjectPickleTestCase.
SimpleLazyObjectPickleTestCase executes database queries so it must
inherit from django.test.TestCase.
2023-08-20 16:09:07 +02:00
Mariusz Felisiak
4afaeb14c2
Refs #30116 -- Simplified tests related with dictionary order.
Dicts preserve order since Python 3.6.
2023-07-12 11:06:59 +02:00
Nick Pope
e042024b28 Allowed custom formatting of lazy() objects.
This allows for formatting of lazy objects which have a custom formatter
defined by overriding the default implementation from `object`.
2023-06-12 06:09:20 +02:00
Nick Pope
fd97b0471b Allowed multiplication of lazy() objects with int return type. 2023-06-12 05:59:40 +02:00
Ran Benita
ae94077e7d Made proxy class in lazy() prepare eagerly.
Previously, the proxy class was prepared lazily:

  lazy_identity = lazy(identity, int)
  lazy_identity(10)  # prepared here
  lazy_identity(10)

This has a slight advantage that if the lazy doesn't end up getting
used, the preparation work is skipped, however that's not very likely.

Besides this laziness, it is also inconsistent in that the methods which
are wrapped directly (__str__ etc.) are prepared already when __proxy__
is defined, and there is a weird half-initialized state.

This change it so that everything is prepared already on the first line
of the example above.
2023-06-12 05:45:44 +02:00
Nick Pope
e0e0204477 Added more tests for django.utils.functional.lazy(). 2023-06-12 05:29:30 +02:00
Ran Benita
a57d5d9bbc Made bytes and str return types no longer mutually exclusive in lazy().
They are no longer special cased.
2023-06-08 09:15:40 +02:00
Ran Benita
f5817c24f4 Refs #34445 -- Fixed string-casting of non-string lazy objects when value may be bytes.
If the result type is bytes, then calling bytes() on it does nothing.

If the result type is not bytes, we should not cast to bytes, just
because the return value may be bytes.
2023-06-08 06:38:11 +02:00
devilsautumn
094b0bea2c Fixed #34609 -- Deprecated calling format_html() without arguments. 2023-06-06 14:14:57 +02:00
Mariusz Felisiak
fc9c90d9c4
Refs #34118 -- Fixed FunctionalTests.test_cached_property_reuse_different_names() on Python 3.12+.
Python 3.12+ no longer wraps exceptions in __set_name__, see
55c99d97e1
2023-05-23 12:56:33 +02:00
Mariusz Felisiak
198a19b692
Refs #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates on different days and interval less than 1 day.
Follow up to 813015d67e.
Regression in 8d67e16493.
2023-04-14 17:41:03 +02:00
nessita
813015d67e
Fixed #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates and interval less than 1 day.
Regression in 8d67e16493.

Thanks Lorenzo Peña for the report.
2023-04-13 13:16:33 -03:00
Ran Benita
066aabcb77 Fixed #34445 -- Fixed string-casting of non-string lazy objects.
This removes __text_cast() as it's the same as __cast().
_delegate_bytes and __delegate_text are mutually exclusive so the
`if self._delegate_bytes` branch in __cast() is unreachable.

Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com>
2023-03-30 11:42:10 +02:00
Marcelo Galigniana
f9f0092346 Completed test coverage for django.utils.datastructures. 2023-02-15 07:45:00 +01:00
David Smith
097e3a70c1 Refs #33476 -- Applied Black's 2023 stable style.
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.

https://github.com/psf/black/releases/tag/23.1.0
2023-02-01 11:04:38 +01:00
Nick Pope
1282b5e420 Fixed #32528 -- Replaced django.utils.topological_sort with graphlib.TopologicalSort().
graphlib.TopologicalSort() is available since Python 3.9.
2023-01-19 06:31:40 +01:00
Mariusz Felisiak
3bbe22dafc
Fixed #34233 -- Dropped support for Python 3.8 and 3.9. 2023-01-18 09:46:01 +01:00
Mariusz Felisiak
5c10041f46 Refs #30127 -- Removed name argument for django.utils.functional.cached_property().
Per deprecation timeline.
2023-01-17 11:49:15 +01:00
Mariusz Felisiak
2fad163257 Refs #32365 -- Removed is_dst argument for various methods and functions.
Per deprecation timeline.
2023-01-17 11:49:15 +01:00