1
0
mirror of https://github.com/django/django.git synced 2025-03-14 11:20:46 +00:00

3761 Commits

Author SHA1 Message Date
Tim Graham
26cd48e166 [1.5.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.
This is a security fix. Disclosure following shortly.
2014-08-20 11:44:02 -04:00
Florian Apolloner
45ac9d4fb0 [1.5.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
2014-08-20 11:44:02 -04:00
Ramiro Morales
291e837bda [1.5.x] Revert "Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet."
This reverts commit 4ae68f677b3348765d8649d8b57beffa18fe8d3d.

stable/1.5.x branch is in security-fixes-only mode.
2014-07-14 21:12:40 -03:00
Tim Graham
4ae68f677b [1.5.x] Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet.
Thanks sebastien at clarisys.fr for the report and gautier
for the patch.

Backport of 5e2c4a4bd1 from master
2014-07-14 12:38:43 -03:00
Erik Romijn
ad32c21885 [1.5.x] Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
2014-05-12 09:42:06 -04:00
Aymeric Augustin
4001ec8698 [1.5.x] Dropped fix_IE_for_vary/attach.
This is a security fix. Disclosure following shortly.
2014-05-12 09:41:34 -04:00
Tim Graham
19bd6b9477 [1.5.x] Fixed #22486 -- Restored the ability to reverse views created using functools.partial.
Regression in 8b93b31487d6d3b0fcbbd0498991ea0db9088054.

Thanks rcoup for the report.

Backport of 3c06b2f2a3 from master
2014-04-23 09:01:38 -04:00
Erik Romijn
985434fb1d [1.5.x] Fixed queries that may return unexpected results on MySQL due to typecasting.
This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
2014-04-21 18:31:08 -04:00
Aymeric Augustin
6872f42757 [1.5.x] Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly.

Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master
2014-04-21 18:31:05 -04:00
Tim Graham
2a5bcb69f4 [1.5.x] Fixed a remote code execution vulnerabilty in URL reversing.
Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master
2014-04-21 18:30:57 -04:00
Alasdair Nicol
86c5115cad [1.5.x] Fixed #21538 -- Added numpy to test/requirements/base.txt
Thanks Tim Graham for the report

Backport of c75dd664c from master
2013-12-02 13:41:18 -05:00
Tim Graham
ed67184b30 Oracle defer test failure; refs #16436.
Oracle doesn't like grouping by TextField, so use CharFields instead in
models.

Backport of 728d3fe1bac6b5f23dbd088e11860cfba51cf7b5 from master
2013-10-21 18:56:25 -04:00
Tai Lee
b495c24375 [1.5.x] Fixed #16436 -- defer + annotate + select_related crash
Correctly calculate the ``aggregate_start`` offset from loaded fields,
if any are deferred, instead of ``self.query.select`` which includes all
fields on the model.

Backpatch of 69f7db153d8108dcef033207d49f4c80febf3d70 from master.
2013-10-09 13:55:32 +03:00
Michael Manfre
7ebd10019d [1.5.x] Fixed #21203 -- resolve_columns fields misalignment
In queries using .defer() together with .select_related() the values
and fields arguments didn't align properly for resolve_columns().

Backpatch of 8c27247397cf16b17d0153ae059593c5a468de01 from master.
2013-10-01 21:34:39 +03:00
Baptiste Mispelon
73ffe26816 [1.5.x] Fix #21185: Added tests for unescape_entities.
Also fixed a py3 incompatibility.
Thanks to brutasse for the report.

Backport of 3754f4ad410640382f9fe25073da03009cdc2ea3 from master.
2013-09-27 18:45:26 +02:00
Anssi Kääriäinen
b7e5b5ba1e [1.5.x] Fixed #21126 -- QuerySet value conversion failure
A .annotate().select_related() query resulted in misaligned rows vs
columns for compiler.resolve_columns() method.

Report & patch by Michael Manfre.

Backpatch of 83554b018ef283827c0e7459ab934d447b3419d5 from master.
2013-09-25 20:53:00 +03:00
Florian Apolloner
1fa8c612fc [1.5.x] Stopped a test from executing queries at the module level.
Currently module level queries are executed against the real database
(specified in NAME) instead of the test database; since it is to late
to fix this for 1.6, we at least ensures stable builds. Refs #21443.

Backport of 4fcc1e4ad8d153f41132b171c231b6d5d4086c28 from master.
2013-09-22 23:07:54 +02:00
Florian Apolloner
18fe77e4ed [1.5.x] Fixed "Address already in use" from liveserver.
Our WSGIServer rewrapped the socket errors from server_bind into
WSGIServerExceptions, which is used later on to provide nicer
error messages in runserver and used by the liveserver to see if
the port is already in use. But wrapping server_bind isn't enough since
it only binds to the socket, socket.listen (which is called from
server_activate) could also raise "Address already in use".

Instead of overriding server_activate too I chose to just catch socket
errors, which seems to make more sense anyways and should be more robust
against changes in wsgiref.

Backport of 2ca00faa913754cd5860f6e1f23c8da2529c691a from master
2013-09-22 22:08:59 +02:00
Florian Apolloner
87c8de2a06 Revert "[1.5.x] Silenced last sporadic failure on 1.5."
This reverts commit 6a708cd654fe63278ea8a14b3e44da847c62ebf4.

Reverted since it only moved the failures to some other tests and it apperently
only worked by accident. Patched selenium for now to include:
https://github.com/SeleniumHQ/selenium/pull/118
which seems to be the root cause for sporadic extra requests to the live server,
which then cause all sorts of issues.
2013-09-18 16:54:30 +02:00
Tim Graham
72f7932cfb [1.5.x] Fixed #21118 -- Isolated a test that uses the database.
Thanks rmboggs for the report.

Backport of 4f40b97d97 from master
2013-09-18 09:43:34 -04:00
Florian Apolloner
6a708cd654 [1.5.x] Silenced last sporadic failure on 1.5.
This commit is a last resort; technically the test is correct but our testsuite
has some threading issues when LiveServer is used. Since this will never get
fixed in 1.5 and apperently doesn't get triggered on 1.6 we just make sure the
test doesn't error out. I am not 100% sure why this actually fixes the issue,
but this is still better than having failing builds wheneever we do a security
release for 1.5.

(Tested on jenkins itself, should work (tm)).
2013-09-17 22:33:11 +02:00
Florian Apolloner
4770fc1c62 [1.5.x] (Hopefully) fixed a failure in a selenium test.
No forward port to 1.6 since it has new transactionmanagement. The
wait_page_loaded should ensure that the liveserver has time to tear
down properly after the submit.
2013-09-15 10:44:29 +02:00
Minjong Chung
e66fe357b2 Fixed #21102 -- pickling a QuerySet with prefetches twice
Fixed the bug that a QuerySet that prefetches related objects cannot be
pickled and unpickled more than once (The second pickling attempt
raises an exception).

Added a new test for the queryset pickling idempotency.

The bug was introduced by
bac187c0d8e829fb3ca2ca82965eabbcbcb6ddd5.
2013-09-14 10:03:03 +03:00
Tim Graham
988b61c550 [1.5.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b656c9 from master
2013-09-10 21:05:03 -04:00
Tim Graham
616a4d385a [1.5.x] Fixed #20922 -- Allowed customizing the serializer used by contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.

Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for reviews.

Backport of b0ce6fe656 from master
2013-08-22 17:49:11 -04:00
Jacob Kaplan-Moss
90363e388c Apply autoescaping to AdminURLFieldWidget.
This is a security fix; disclosure to follow shortly.
2013-08-13 11:04:21 -05:00
Anssi Kääriäinen
bf4c8d8c98 [1.5.x] Fixed qs ordering related randomly failing test
The failure wasn't present in 1.6+, so this is not a backpatch.
2013-07-29 14:28:41 +03:00
Florian Apolloner
41492f0f1b [1.5.x] Simplified smart_urlquote and added some basic tests.
Backport of b70c371fc1f18ea0c43b503122df3f311afc7105 from master.
2013-07-28 10:07:29 +02:00
Tim Graham
dd2a512f68 [1.5.x] assertEquals -> assertEqual 2013-07-27 18:46:55 -04:00
Luke Plant
00b39e0145 [1.5.x] Fixed #19607 - prefetch_related crash
Thanks to av@rdf.ru and flarno11@yahoo.de for the report.

Backport of 4fd94969d8 from master
2013-07-27 17:59:27 -04:00
Tim Graham
8904e9fb98 [1.5.x] Fixed #20681 -- Prevented teardown_databases from attempting to tear down aliases
Thanks simonpercivall.

Backport of d9c580306c from master
2013-07-13 18:09:24 -04:00
Tim Graham
13546cae9c [1.5.x] Fixed #19196 -- Added test/requirements
Backport of 4d92a0bd86 from master.
2013-07-10 11:32:28 -04:00
Tim Graham
95aa2182b7 [1.5.x] Fixed #19940 -- Made test.runner.setup_databases properly handle aliases for defau
Thanks simonpercivall.

Backport of 2cbd579efe from master.
2013-07-04 20:41:01 -04:00
Daniel Lindsley
cb9aaac91f [1.5.x] Fixed #20212 - __reduce__ should only be defined for Py3+. 2013-05-21 10:17:27 -07:00
Anssi Kääriäinen
bac187c0d8 [1.5.x] Fixed prefetch_related + pickle regressions
There were a couple of regressions related to field pickling. The
regressions were introduced by QuerySet._known_related_objects caching.

The regressions aren't present in master, the fix was likely in
f403653cf146384946e5c879ad2a351768ebc226.

Fixed #20157, fixed #20257. Also made QuerySets with model=None
picklable.
2013-05-21 11:45:24 +03:00
Anssi Kääriäinen
0eddedf7db [1.5.x] Fixed #20278 -- ensured .get() exceptions do not recurse infinitely
A regression caused by d5b93d3281fe93cbef5de84a52 made .get() error
reporting recurse infinitely on certain rare conditions. Fixed this by
not trying to print the given lookup kwargs.

Backpatch of 266c0bb23e9d64c47ace4d162e582febd5a1e336
2013-05-20 19:05:43 +03:00
Tai Lee
23b234a9d9 [1.5.x] Fixed #20354 -- makemessages no longer crashes with UnicodeDecodeError
Handle the `UnicodeDecodeError` exception, send a warning to `stdout` with the
file name and location, and continue processing other files.
Backport of 99a6f0e77 from master.
2013-05-07 21:36:51 +02:00
Florian Apolloner
0b0d98fd4e [1.5.x] Fixed test failures introduced in a5becad9094e5c5403b692b9a7b3a6ffaabf64a3.
Backport of 780fa48f5fb81b2f0f58de95167abff84a6149aa from master
2013-05-05 16:14:41 +02:00
Claude Paroz
abdcf81843 [1.5.x] Fixed #20237 (again) Allowed binary parameter to assertContains
Backport of b04fd579d5 from master.
2013-04-12 20:16:35 +02:00
Baptiste Mispelon
9c49e64b66 [1.5.x] Fixed #20211: Document backwards-incompatible change in BoundField.label_tag
Also cleaned up label escaping and consolidated the test suite regarding
label_tag.
Backport of ab686022f from master.
2013-04-12 10:25:44 +02:00
Claude Paroz
427b59495e [1.5.x] Fixed #20237 -- Reenabled assertContains with binary parameter
Thanks Baptiste Mispelon for the review.
Backport of fe01404bb9 from master.
2013-04-11 10:58:06 +02:00
Simon Charette
d04e8f8c78 [1.5.x] Fixed #20207 -- Handle ManyToManyField with a unicode name correctly.
Backport of 216580e034.
2013-04-05 15:21:59 -04:00
Julien Phalip
a15a3e9148 [1.5.x] Fixed #20169 -- Ensured that the WSGI request's path is correctly based on the SCRIPT_NAME environment parameter or the FORCE_SCRIPT_NAME setting, regardless of whether or not those have a trailing slash. Thanks to bmispelon for the review.
Backport of 2f81a0ca6543f
2013-04-01 12:07:58 -07:00
Jacob Kaplan-Moss
bec250211b [1.5.x] Correctly restore warning capture after logging tests.
This is a fix to the wrong behavior that 15c3906eeb introduced.

Backport of 4befef9 from trunk.
2013-03-27 17:03:12 -05:00
Jacob Kaplan-Moss
9a41045b77 [1.5.x] Fixed logging-related test failure introduced by e79b857.
Backport of 654d8e9.
2013-03-27 12:21:26 -05:00
Preston Holmes
572a300e56 [1.5.x] Fixed #18985 -- ensure module level deprecations are displayed
Also don't compete with -W CLI option.

Thanks to Aymeric Augustin for the catch, and Claude Paroz for the patch.

Backport of e79b857a07905340556f781a7d63016236b21c61 from master.
2013-03-27 10:37:47 -05:00
Anssi Kääriäinen
207117ae73 [1.5.x] Fixed #20091 -- Oracle null promotion for empty strings
Backpatch of e17fa9e877e84e93b699c2bd13ea48dbbb86e451
2013-03-26 15:05:37 +02:00
Claude Paroz
deec020bf5 [1.5.x] Fixed #20108 -- Fixed filepath_to_uri decoding error
This was a regression due to unicode_literals usage. Thanks Ivan
Virabyan for the report and the initial patch.
Backport of 164528acc8 from master.
2013-03-22 17:58:36 +01:00
Marc Tamlyn
dd897e4eeb [1.5.x] Fixed #20094 - Be more careful when checking for Iterator
Python 2.6 has some different behaviour when checking
isinstance(foo, collections.Iterator).
Backport of 829dc3c5 from master.
2013-03-22 17:45:41 +01:00
Claude Paroz
b91067d9aa [1.5.x] Revert "Fixed #19895 -- Made second iteration over invalid queryset raise an exception too"
This reverts commit d1e87eb3baf75b1b6a0ada46a9b77f7e347cdb60.
This commit was the cause of a memory leak. See ticket for more details.
Thanks Anssi Kääriäinen for identifying the source of the bug.
2013-03-20 10:43:14 +01:00