Value(None, JSONField()) when used in When.condition incorrectly resolved with
for_save=True, resulting in the value being serialized as SQL NULL instead of
JSON null.
Regression in c1fa3fdd040718356e5a3b9a0fe699d73f47a940.
Thanks to Thomas McKay for the report, and to David Sanders and Simon Charettes
for the review.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 104cbfd44b9eff010daf0ef0e1ce434385855b13 from main.
When matching which entry in the `Accept` header should be used for
a given media type, the specificity matters. However once those are
resolved, only the quality matters when selecting preference.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Thank you to Anders Kaseorg for the report.
Backport of 12c1557060fc94fe5e1fbddc4578a4e29d38f77c from main.
The "q" key was removed while addressing ticket #36411. Despite
`MediaType.params` is undocumented and considered internal, it was used
in third-party projects (Zulip reported breakage), so this work restored
the `q` key in `params`.
Thanks Anders Kaseorg for the report.
Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
Backport of cf5f36bf903a2854f5e395149cee707115b83744 from main.
The for_save flag wasn't properly propagated when resolving expressions, which
prevented get_db_prep_save() from being called in some cases. This affected
fields like JSONField where None would be saved as JSON null instead of SQL NULL.
Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9.
Thanks to David Sanders and Simon Charette for reviews.
Co-authored-by: Adam Johnson <me@adamj.eu>
Backport of c1fa3fdd040718356e5a3b9a0fe699d73f47a940 from main.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
Suitably crafted requests containing a CRLF sequence in the request
path may have allowed log injection, potentially corrupting log files,
obscuring other attacks, misleading log post-processing tools, or
forging log entries.
To mitigate this, all positional formatting arguments passed to the
logger are now escaped using "unicode_escape" encoding.
Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report.
Co-authored-by: Carlton Gibson <carlton@noumenal.es>
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
Regression in 626d77e52a3f247358514bcf51c761283968099c.
Refs #36116.
Thanks Cornelis Poppema for the excellent report.
Backport of 08187c94ed02c45ad40a32244dedeaa7ac71ca87 from main.
HttpRequest.get_preferred_type() did not account for parameters in
Accept header media types (e.g., "text/vcard; version=3.0"). This caused
incorrect content negotiation when multiple types differed only by
parameters, reducing specificity as per RFC 7231 section 5.3.2
(https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2).
This fix updates get_preferred_type() to treat media types with
parameters as distinct, allowing more precise and standards-compliant
matching.
Thanks to magicfelix for the report, and to David Sanders and Sarah
Boyce for the reviews.
Backport of c075508b4de8edf9db553b409f8a8ed2f26ecead from main.
In the admin's filter_horizontal widget, optional action buttons like
"Choose all", "Remove all", etc. were changed from `<a>` to `<button>`
elements in #34619, but without specifying `type="button"`. As a result,
when pressing Enter while focused on a form input, these buttons could
be triggered and intercept form submission.
Explicitly set `type="button"` on these control buttons to prevent them
from acting as submit buttons.
Thanks Antoliny Lee for the quick triage and review.
Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
Backport of 90429625a85f1f77dfea200c91bd2dabab57974f from main.
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039.
Thank you to Simon Charette for the review.
co-authored-by: Simon Charette <charette.s@gmail.com>
Backport of b8e5a8a9a2a767f584cbe89a878a42363706f939 from main.
Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099.
Thank you to shamoon for the report and Natalia Bidart for the review.
Backport of 1704c49a9b149b66b6a0e67abc8c95293bc35649 from main.
Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172.
Thank you to Antoine Humeau for the report and Simon Charette for the review.
Backport of 802baf5da5b8d8b44990a8214a43b951e7ab8b39 from main.
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake
Howard for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
Thanks to Baptiste Mispelon for the report and quick fix, and to Simon
Charette and Jacob Walls for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 66f9eb0ff1e7147406318c5ba609729678e4e6f6 from main.
Previously, any first field of a composite primary key with type
`INTEGER` was incorrectly introspected as an `AutoField` due to SQLite
treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`.
This change ensures that integer fields in composite PKs are not
mistaken for auto-incrementing fields.
Thanks Jacob Walls and Sarah Boyce for the reviews.
Backport of 07100db6f46255ec6ef70b860495f977473684d6 from main.
Now that Django properly supports creating models with composite primary
keys, the tests should use a `CompositePrimaryKey` field instead of a
feature flag to inline backend specific SQL for creating a composite PK.
Specifcially, the inspectdb's test_composite_primary_key was adjusted to
use schema editor instead of per-backend raw SQL.
Backport of 4c75858135589f3a00e32eb4d476074536371a32 from main.
The issue was only manifesting itself when also filtering againt a related
model as that forces the usage of a subquery because SQLUpdateCompiler doesn't
support the UPDATE FROM syntax yet.
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Refs #28900.
Thanks Gav O'Connor for the detailed report.
Backport of 8ef4e0bd423ac3764004c73c3d1098e7a51a2945 from main.
Regression in aba0e541caaa086f183197eaaca0ac20a730bbe4 and in
d5bebc1c26d4c0ec9eaa057aefc5b38649c0ba3b.
Thanks Florent Messa for the report, and Jake Howard and Claude
Paroz for the review.
Backport of 0596263c3136bc26cffa670e5322bd0aa56c4d34 from main.
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b.
This work improves the django.utils.text.wrap() function to ensure that
empty lines and lines with whitespace only are kept instead of being
dropped.
Thanks Matti Pohjanvirta for the report and fix.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
This reverts commits b1324a680add78de24c763911d0eefa19b9263bc and
02a5cbfe76382da2a0414df17017185be5bd47f9. The former caused a regression
in admin sites that relied on the `object-tools` block being inside the
`content` block.
Thank you to Fabian Braun for the report.
Backport of 1bc805e23b73a580b82a1d416ab0fb59a1073047 from main.
Regression in ec7d69035a408b357f1803ca05a7c991cc358cfa.
Thank you Gabriel Trouvé for the report and Claude Paroz for the review.
Backport of d469db978ea6a705549b9519313d9adc198e4232 from main.
Now that selected aliases are stored in sql.Query.selected: dict[str, Any]
the values_list() method must ensures that duplicate field name references are
assigned unique aliases.
Refs #28900.
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Thanks Claude for the report.
Backport of 21f8be76d43aa1ee5ae41c1e0a428cfea1f231c1 from main.
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which allowed for
annotations to be SELECT'ed before model field references through
values()/values_list() and broke assumptions the select_for_update(of)
table infererence logic had about model fields always being first.
Refs #28900.
Thanks OutOfFocus4 for the report and Sarah for the test.
Backport of 71a19a0e475165dbc14c1fe02f552013ee670e4c from main
Regression in 58cd4902a71a3695dd6c21dc957f59c333db364c.
Thanks Baptiste Mispelon for the report.
Backport of 8ad3e80e88201f4c557f6fa79fcfc0f8a0961830 from main.
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Refs #28900.
Thanks Jeff Iadarola for the report and tests.
Co-Authored-By: OutOfFocus4 <jeff.iadarola@gmail.com>
Backport of 12b771a1ec4bbfe82405176f5601e6441855a303 from main
Swapped to an allow list instead of a deny list for field types to
determine if the UNNEST optimization can be enabled to avoid further
surprises with other types that would require further specialization to
adapt.
Regression in a16eedcf9c69d8a11d94cac1811018c5b996d491.
Thanks Joshua Goodwin for the report and Sarah Boyce for the test.
Backport of 764af7a3d6c0b543dcf659a2c327f214da768fe4 from main
Just like the In() lookup discards of None members TupleIn() should
discard tuples containing any None as NULL != NULL in SQL and the
framework expects such queries to be elided under some circumstances.
Refs #31667, #36116.
Thanks Basptise Mispelon for bisecting the regression to 626d77e.
Backport of f7f38f3a0b44d8c6d14344dae66b6ce52cd77b55 from main
Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a.
Refs #28900
Thanks Patrick Altman for the report.
Backport of 543e17c4405dfdac4f18759fc78b190406d14239 from main
Thank you Adam Johnson for the report and fix. Thank you Sarah Boyce for
your spot on analysis.
Regression in c09bceef68e5abb79accedd12dade16aa6577a09, which is
partially reverted in this branch.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 27b68bcadf1ab2e9f7fd223aed42db352ccdc62d from main.
Thank you Raffaella for the report. Thank you Tim Schilling and Natalia Bidart
for the reviews.
Backport of de1117ea8eabe0ee0aa048e5a4e249eab7c4245e from main.
Regression in 40b3975e7d3e1464a733c69171ad7d38f8814280.
Thanks smiling-watermelon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of c09bceef68e5abb79accedd12dade16aa6577a09 from main.
Avoids reports of bulk_update() sending Cast expressions
to JSONField.get_prep_value().
Co-authored-by: Simon Charette <charette.s@gmail.com>
Backport of 0bf412111be686b6b23e00863f5d449d63557dbf from main.
