1
0
mirror of https://github.com/django/django.git synced 2025-03-14 11:20:46 +00:00

5721 Commits

Author SHA1 Message Date
Tim Graham
ae49b4d994 [1.7.x] Prevented newlines from being accepted in some validators.
This is a security fix; disclosure to follow shortly.

Thanks to Sjoerd Job Postmus for the report and draft patch.
2015-07-08 07:35:43 -04:00
Marten Kenbeek
9bd3a2325e [1.7.x] Refs #23621 -- Fixed warning message when reloading models.
Backport of aabb58428beae0bd34f32e5d620a82486b670499 from master
2015-06-30 15:01:28 -04:00
Tim Graham
207da07d59 [1.7.x] Fixed #24903 -- Fixed assertRaisesMessage on Python 2.7.10.
A regression found in in Python 2.7.10 rc1 wasn't reverted for the final
release: https://bugs.python.org/issue24134

Backport of two commits from master:
* c2bc1cefdcbbf074408f4a4cace88b315cf9d652
* e89c3a46035e9fe17c373a6c9cd63b9fd631d596
2015-06-09 16:14:49 -04:00
Andriy Sokolovskiy
927d90ee1e [1.7.x] Fixed #24817 -- Prevented loss of null info in MySQL field renaming.
Backport of 80ad5472ce4b6ba6e94227422d0727371e97cdf0 from master
2015-05-28 10:26:27 -04:00
Shai Berger
773ec512b1 [1.7.x] Fixed #24595 Oracle test failure
The only problem for Oracle was the test, which tested nullity on
text/char fields -- but Oracle interprets_empty_strings_as_null.

Backport of d5a0acc from master
2015-04-18 19:17:10 +03:00
Claude Paroz
ada0845dda [1.7.x] Fixed #24595 -- Prevented loss of null info in MySQL field alteration
Thanks Simon Percivall for the report, and Simon Charette and Tim
Graham for the reviews.
Backport of 02260ea3f61b from master.
2015-04-17 10:48:13 +02:00
Anssi Kääriäinen
c3a9820251 [1.7.x] Fixed #24605 -- Fixed incorrect reference to alias in subquery.
Thanks to charettes and priidukull for investigating the issue, and to
kurevin for the report.

Backport of 355c5edd9390caad5725375abca03460805f663b from master
2015-04-16 09:32:23 -04:00
Tim Graham
2a4113dbd5 [1.7.x] Made is_safe_url() reject URLs that start with control characters.
This is a security fix; disclosure to follow shortly.
2015-03-18 08:51:51 -04:00
Tim Graham
e63363f8e0 [1.7.x] Fixed an infinite loop possibility in strip_tags().
This is a security fix; disclosure to follow shortly.
2015-03-18 08:51:21 -04:00
John Giannelos
cb48e192fb [1.7.x] Fixed #24427 -- Stopped writing migration files in dry run mode when merging.
Also added display of migration to stdout when verbosity=3.

Backport of 8758a63ddbbf7a2626bd84d50cfe83b477e8de0a from master
2015-03-16 19:58:08 -04:00
Matthew Wilkes
d0607a7eee [1.7.x] Fixed #24354 -- Prevented repointing of relations on superclasses when migrating a subclass's name change 2015-03-14 15:35:16 -04:00
Baptiste Mispelon
2654e1b939 [1.7.x] Fixed #24461 -- Fixed XSS issue in ModelAdmin.readonly_fields 2015-03-09 10:17:54 -04:00
Jean-Louis Fuchs
283b630d63 Fixed #24447 -- Made migrations add FK constraints for existing columns
When altering from e.g. an IntegerField to a ForeignKey, Django didn't
add a constraint.

Backport of f4f0060feaee6bbd76a0d575487682bc541111e4 from master
2015-03-07 14:30:28 +01:00
Gabriel Muñumel
0831a43c3a [1.7.x] Fixed #24352 -- Fixed crash when coercing `ManyRelatedManager` to a string. 2015-02-26 11:00:52 -05:00
Aymeric Augustin
9b7d512d5f [1.7.x] Fixed #24318 -- Set the transaction isolation level with psycopg >= 2.4.2.
Backport of 76356d96 from master
2015-02-14 18:52:53 +01:00
Markus Holtermann
37b50db092 [1.7.x] Refs #24236 -- Added regression test for 3d4a826174b7a411a03be39725e60c940944a7fe
Thanks irc user ris for the report
2015-02-09 16:48:51 +01:00
Andriy Sokolovskiy
3d4a826174 [1.7.x] Fixed #24104 -- Fixed check to look on field.get_internal_type() instead of class instance 2015-01-27 14:40:39 +01:00
Claude Paroz
b1bf8d64fb [1.7.x] Fixed #24193 -- Prevented unclosed file warnings in static.serve()
This regression was caused by 818e59a3f0. The patch is a partial
backport of the new FileResponse class available in later Django
versions.
Thanks Raphaël Hertzog for the report, and Tim Graham and Collin
Anderson for the reviews.
2015-01-23 08:58:34 +01:00
Markus Holtermann
70845c6809 [1.7.x] Refs #24163 -- Fixed failing Oracle test when migrating from ForeignKey to OneToOneField
Thanks Tim Graham for review

Backport of 64ecb3f07db4be5eef4d9eb7687f783ee446c82f from master
2015-01-20 17:46:37 +01:00
Tim Graham
7a1ccc0699 [1.7.x] Fixed #24153 -- Fixed cookie test compatibility with Python 3.4.3+
Backport of b19b81b3960ec2090d40be65547502a3386a769b from master
2015-01-19 15:41:29 -05:00
Markus Holtermann
db2a97870d [1.7.x] Fixed #24163 -- Removed unique constraint after index on MySQL
Thanks Łukasz Harasimowicz for the report.

Backport of 5792e6a88c1444d4ec84abe62077338ad3765b80 from master
2015-01-19 17:25:05 +01:00
Markus Holtermann
29737a2949 [1.7.x] Cleaned up migration writer tests
Backport of 65d55c409343aab7c2ae771c459720ef797b4cdb from master
2015-01-17 20:45:41 +01:00
Collin Anderson
cef3f805c2 [1.7.x] Fixed #24160 -- Fixed model_regress test on Windows; refs #24007.
Backport of 5338ff4808c822a8b00e90154b884b7be3011e60 from master
2015-01-16 12:03:15 -05:00
Tim Graham
433e7dd507 [1.7.x] Fixed #23312 -- Marked an i18n test as expectedFailure on Windows/Python 3. 2015-01-16 10:31:49 -05:00
Tim Graham
065b2a82f6 [1.7.x] Fixed #24135 -- Made RenameModel rename many-to-many tables.
Thanks Simon and Markus for reviews.

Backport of 28db4af80a319485c0da724d692e2f8396aa57e3 from master
2015-01-15 20:43:49 -05:00
Tim Graham
02c059ff7f [1.7.x] Fixed a static view test on Windows.
Backport of a6f144fd4fee0090de3a99b1f50a4142722e7946 from master
2015-01-14 13:57:10 -05:00
Tim Graham
bcfb47780c [1.7.x] Fixed DoS possibility in ModelMultipleChoiceField.
This is a security fix. Disclosure following shortly.

Thanks Keryn Knight for the report and initial patch.
2015-01-13 13:02:56 -05:00
Tim Graham
818e59a3f0 [1.7.x] Prevented views.static.serve() from using large memory on large files.
This is a security fix. Disclosure following shortly.
2015-01-13 13:02:56 -05:00
Tim Graham
de67dedc77 [1.7.x] Fixed is_safe_url() to handle leading whitespace.
This is a security fix. Disclosure following shortly.
2015-01-13 13:02:56 -05:00
Carl Meyer
41b4bc73ee [1.7.x] Stripped headers containing underscores to prevent spoofing in WSGI environ.
This is a security fix. Disclosure following shortly.

Thanks to Jedediah Smith for the report.
2015-01-13 13:02:56 -05:00
Markus Holtermann
ef5889409b [1.7.x] Fixed #24110 -- Rewrote migration unapply to preserve intermediate states
Backport of fdc2cc948725866212a9bcc97b9b7cf21bb49b90 and be158e36251df0b07556657da47cdaf10913c57a from master
2015-01-11 00:35:49 +01:00
Claude Paroz
7e65876b7c [1.7.x] Fixed #24097 -- Prevented AttributeError in redirect_to_login
Thanks Peter Schmidt for the report and the initial patch.
Thanks to Oktay Sancak for writing the original failing test and
Alvin Savoy for supporting contributing back to the community.
Backport of d7bc37d61 from master.
2015-01-10 10:13:50 +01:00
Tim Graham
bbcbacf0ad [1.7.x] Silenced deprecation warning in test_runner app. 2015-01-08 09:44:21 -05:00
Tim Graham
600ea43e67 [1.7.x] Silenced initial_data fixtures warning in test suite. 2015-01-08 09:43:40 -05:00
Tim Graham
557c514f90 [1.7.x] Fixed #24095 -- Prevented WarningLoggerTests from leaking a warnings filter.
Backport of ade985999657eaef6a9510c2aeba9b2196d7bf6e from master
2015-01-08 09:09:24 -05:00
Claude Paroz
d8fb557a51 [1.7.x] Fixed #23815 -- Prevented UnicodeDecodeError in CSRF middleware
Thanks codeitloadit for the report, living180 for investigations
and Tim Graham for the review.
Backport of 27dd7e7271 from master.
2015-01-06 08:45:10 +01:00
Andrey Maslov
8de2a44064 [1.7.x] Fixed #24008 -- Fixed ValidationError crash with list of dicts.
Backport of 7a878ca5cb50ad65fc465cb263a44cc93629f75c from master
2014-12-31 14:46:17 -05:00
Tim Graham
4abfa73c18 [1.7.x] Renamed tests for util -> utils moves; refs #17627.
Backport of 8a9b0c15a6c0ef60dea3ba3042317520bc201206 from master
2014-12-31 11:33:27 -05:00
Tim Graham
c0bed63889 [1.7.x] Fixed a queries test on Python 2 broken after importing six.moves.range().
Backport of 837fc2d8cdfefce375697d95e241836c7be12696 from master
2014-12-31 09:51:10 -05:00
Piotr Pawlaczek
e11ff3975f [1.7.x] Fixed #23758 -- Allowed more than 5 levels of subqueries
Refactored bump_prefix() to avoid infinite loop and allow more than
than 5 subquires by extending the alphabet to use multi-letters.

Backport of 41fc1c0b5eac156e200a10233c7c9210a1c0fed8 from master
2014-12-31 09:42:07 -05:00
Markus Holtermann
d49b5851b4 [1.7.x] Added test for an intermediate swappable model change in migration state.
refs #22563

Backport of fca866763acb6b3414c20ca3772b94cb5d111733 from master
2014-12-30 10:03:41 -05:00
Tim Graham
a9da5dd5b6 [1.7.x] Fixed #23581 -- Prevented extraneous DROP DEFAULT statements.
Thanks john_scott for the report and Markus Holtermann for review.

Backport of ab4f709da4516672b0bd811f2b4d0c4ba9f5b636 from master
2014-12-30 08:31:18 -05:00
Tim Graham
79645529e7 Revert "[1.7.x] Fixed #23938 -- Added migration support for m2m to concrete fields and vice versa"
This reverts commit 1702bc52cc20ed0729893177fc8f4391b4b3183c.

This doesn't work on stable/1.7.x because #23844 wasn't backported and we're
not willing to do so because it's a large change.
2014-12-29 15:37:15 -05:00
Markus Holtermann
1702bc52cc [1.7.x] Fixed #23938 -- Added migration support for m2m to concrete fields and vice versa
Thanks to Michael D. Hoyle for the report and Tim Graham for the review.

Backport of 623ccdd598625591d1a12fc1564cf3ef9a87581f from master
2014-12-29 13:42:29 -05:00
Aymeric Augustin
3483682749 [1.7.x] Fixed #23831 -- Supported strings escaped by third-party libs in Django.
Refs #7261 -- Made strings escaped by Django usable in third-party libs.

The changes in mark_safe and mark_for_escaping are straightforward. The
more tricky part is to handle correctly objects that implement __html__.

Historically escape() has escaped SafeData. Even if that doesn't seem a
good behavior, changing it would create security concerns. Therefore
support for __html__() was only added to conditional_escape() where this
concern doesn't exist.

Then using conditional_escape() instead of escape() in the Django
template engine makes it understand data escaped by other libraries.

Template filter |escape accounts for __html__() when it's available.
|force_escape forces the use of Django's HTML escaping implementation.

Here's why the change in render_value_in_context() is safe. Before Django
1.7 conditional_escape() was implemented as follows:

    if isinstance(text, SafeData):
        return text
    else:
        return escape(text)

render_value_in_context() never called escape() on SafeData. Therefore
replacing escape() with conditional_escape() doesn't change the
autoescaping logic as it was originally intended.

This change should be backported to Django 1.7 because it corrects a
feature added in Django 1.7.

Thanks mitsuhiko for the report.

Backport of 6d52f6f from master.
2014-12-27 18:26:20 +01:00
Aymeric Augustin
b429a9796a [1.7.x] Fixed an inconsistency introduced in 547b1810.
mark_safe and mark_for_escaping should have been kept similar.

On Python 2 this change has no effect. On Python 3 it fixes the use case
shown in the regression test for mark_for_escaping, which used to raise
a TypeError. The regression test for mark_safe is just for completeness.

Backport of 5c5eb5fe from master.
2014-12-27 18:17:18 +01:00
Claude Paroz
322560489b [1.7.x] Fixed #24051 -- Made schema infrastructure honor tablespaces
Partial backport of 30cbd5d36. Thanks Douglas J. Reynolds for the
report and initial patch.
2014-12-27 15:12:17 +01:00
Tim Graham
51ea30a43b [1.7.x] Fixed #24037 -- Prevented data loss possibility when changing Meta.managed.
The migrations autodetector now issues AlterModelOptions operations for
Meta.managed changes instead of DeleteModel + CreateModel.

Thanks iambibhas for the report and Simon and Markus for review.

Backport of 061caa5b386681dc7bdef16918873043224a299c from master
2014-12-23 14:26:56 -05:00
Oscar Ramirez
1ad5deedd4 [1.7.x] Fixed #23998 -- Added datetime.time support to migrations questioner.
Backport of 54085b0f9ba7d9f705f9b9c90d3433b0ef6aa042 from master
2014-12-22 07:26:57 -05:00
Claude Paroz
ea18652238 [1.7.x] Made model_regress unpickling test CWD-independent
Refs #24007. Thanks Tim Graham for his help with the patch.

Backport of 1d9fc5caa947ff4ee72180185e91a9a145171712 and
995be4a1375340a53668dd80444756d77302000d from master
2014-12-19 14:26:46 -05:00