Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.
Follow-up to CVE-2025-27556 and 39e2297210.
Backport of c880530ddd from main.
Proxy models subclassing a model with a CompositePrimaryKey were
incorrectly reporting check errors because the check that requires only
local fields to be used in a composite pk was evaluated against the proxy
subclass, which has no fields.
To fix this, composite pk field checks are not evaluated against
proxy subclasses, as none of the checks are applicable to proxy
subclasses. This also has the benefit of not double-reporting real check
errors from an invalid superclass pk.
Thanks Clifford Gama for the review.
Backport of 74564946c3 from main.
tblib 3.2+ makes exception subclasses with __init__() and the default
__reduce__() picklable. This broke the test for
RemoteTestResult._confirm_picklable(), which expects a specific
exception to fail unpickling.
https://github.com/ionelmc/python-tblib/blob/master/CHANGELOG.rst#320-2025-10-21
This fix defines ExceptionThatFailsUnpickling.__reduce__() in a way
that pickle.dumps(obj) succeeds, but pickle.loads(pickle.dumps(obj))
raises TypeError.
Refs #27301. This preserves the intent of the regression test from
52188a5ca6 without skipping it.
Backport of 548209e620 from main.
Further details about Python changes can be found in:
0243f97cba.
Refs #36499. Thank you Clifford Gama for the thorough review!
Backport of e4515dad7a from main.
This allows the proper resolving of lookups when performing constraint
validation involving Q and Case objects.
Thanks Andrew Roberts for the report and Sarah for the tests and review.
Backport of 079d31e698 from main.
This allows the proper resolving of F("field__transform") when
performing constraint validation.
Thanks Tom Hall for the report and Sarah for the test.
Prerequisite for #36518.
Backport of fc30355107 from main.
On Jenkins with Python 3.10:
Traceback (most recent call last):
File "[...]/python3.10/tests/composite_pk/test_filter.py", line 559, in setUp
self.enterContext(feature_patch)
AttributeError: 'CompositePKFilterTupleLookupFallbackTests' object has no attribute 'enterContext'
When native support for tuple lookups is missing in a DB backend, it can
be emulated with an EXISTS clause. This is controlled by the backend
feature flag "supports_tuple_lookups".
The mishandling of subquery right-hand side in `TupleIn` (added to
support `CompositePrimaryKey` in Refs #373) was likely missed because
the only core backend we test with the feature flag disabled
(Oracle < 23.4) supports it natively.
Thanks to Nandana Raol for the report, and to Sarah Boyce, Jacob Walls,
and Natalia Bidart for reviews.
Backport of 192bc7a7be from main.
Value(None, JSONField()) when used in When.condition incorrectly resolved with
for_save=True, resulting in the value being serialized as SQL NULL instead of
JSON null.
Regression in c1fa3fdd04.
Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes
for the review.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 104cbfd44b from main.
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4d.
Thank you to Anders Kaseorg for the report.
Backport of 12c1557060 from main.
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4d.
Backport of cf5f36bf90 from main.
The for_save flag wasn't properly propagated when resolving expressions, which
prevented get_db_prep_save() from being called in some cases. This affected
fields like JSONField where None would be saved as JSON null instead of SQL NULL.
Regression in 00c690efbc.
Thanks to David Sanders and Simon Charette for reviews.
Co-authored-by: Adam Johnson <me@adamj.eu>
Backport of c1fa3fdd04 from main.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9579517552 from main.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec559 from main.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
Backport of c075508b4d from main.
In the admin's filter_horizontal widget, optional action buttons like
"Choose all", "Remove all", etc. were changed from `<a>` to `<button>`
elements in #34619, but without specifying `type="button"`. As a result,
when pressing Enter while focused on a form input, these buttons could
be triggered and intercept form submission.
Explicitly set `type="button"` on these control buttons to prevent them
from acting as submit buttons.
Thanks Antoliny Lee for the quick triage and review.
Regression in 857b1048d5.
Backport of 90429625a8 from main.
