1
0
mirror of https://github.com/django/django.git synced 2025-03-14 11:20:46 +00:00

4442 Commits

Author SHA1 Message Date
Simon Charette
2fd16232b1 [1.6.x] Fixed #23754 -- Always allowed reference to the primary key in the admin
This change allows dynamically created inlines "Add related" button to work
correcly as long as their associated foreign key is pointing to the primary
key of the related model.

Thanks to amorce for the report, Julien Phalip for the initial patch,
and Collin Anderson for the review.

Backport of f9c4e14aeca7df79991bca8ac2d743953cbd095c from master
2014-11-25 13:48:50 -05:00
Emmanuelle Delescolle
c5c4bfa12a [1.6.x] Fixed #23604 -- Allowed related m2m fields to be references in the admin.
Thanks Simon Charette for review.

Backport of a24cf21722 from master
2014-10-06 08:50:48 -04:00
Tim Graham
011541d948 [1.6.x] Required numpy < 1.9 for tests; refs #23489.
Backport of 4743a94429 from stable/1.7.x
2014-09-29 19:58:00 -04:00
Simon Charette
a7af6ad96a [1.6.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.
This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

Backport of 342ccbd from master
2014-09-08 14:05:26 -04:00
Akis Kesoglou
b877697472 [1.6.x] Fixed #23370 -- defer() + select_related() crashed with inherited models.
Backport of 6613ea6e3f from master
2014-08-30 07:16:47 -04:00
Simon Charette
e3453b61c6 [1.6.x] Fixed #23329 -- Allowed inherited and m2m fields to be referenced in the admin.
Thanks to Trac alias Markush2010 and ross for the detailed reports.

Backport of 3cbb759 from master
2014-08-27 21:50:29 -04:00
Simon Charette
f7c494f250 [1.6.x] Prevented data leakage in contrib.admin via query string manipulation.
This is a security fix. Disclosure following shortly.
2014-08-20 11:43:43 -04:00
Tim Graham
dd0c3f4ee1 [1.6.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.
This is a security fix. Disclosure following shortly.
2014-08-20 11:43:43 -04:00
Florian Apolloner
da051da8df [1.6.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
2014-08-20 11:43:43 -04:00
Claude Paroz
9f9fdc4b0a [1.6.x] Fixed #22996 -- Prevented crash with unencoded query string
Thanks Jorge Carleitao for the report and Aymeric Augustin, Tim Graham
for the reviews.
Backport of fa02120d36 from master.
2014-08-19 22:55:35 +02:00
Tim Graham
f07e9f8796 [1.6.x] Added a missing skipUnlessDBFeature for the previous commit. 2014-07-29 09:37:49 -04:00
Shai Berger
838b7f8220 [1.6.x] Fixed #20292: Pass datetime objects (not formatted dates) as params to Oracle
This seems worthwhile in its own right, but also works around an Oracle
bug (in versions 10 -- 11.1) where the use of Unicode would reset the
date/time formats, causing ORA-01843 errors.

Thanks Trac users CarstenF for the report, jtiai for the initial patch,
and everyone who contributed to the discussion on the ticket.

Backport of 6983201 from master.
2014-07-29 07:00:26 -04:00
Aymeric Augustin
83098dccdf [1.6.x] Fixed #23089 -- Fixed transaction handling in two management commands.
Previously, when createcachetable and flush operated on non-default
databases, they weren't atomic.

Also avoided transactional DDL and transactional truncates on databases
that don't support them (refs #22308).

Backport of 753a22a635, 0757e0f30d, and 6877a9d415 from master
2014-07-24 19:27:15 -04:00
Tim Graham
04d827a710 [1.6.x] Added Chrome/IE support for a selenium test.
Backport of 5954aa6db0 from master plus additional changes...
2014-07-16 11:01:53 -04:00
Anssi Kääriäinen
9be56ec62c [1.6.x] PEP8 cleanup
Backport of f8df55050c from master
2014-07-16 12:53:52 +03:00
Gavin Wahl
227a0f27a6 [1.6.x] Fixed #22998 -- Updated the fast_delete logic for GFKs
Backport of 6e2b82fdf6 from master
2014-07-16 12:53:48 +03:00
Tim Graham
685582940b [1.6.x] Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet.
Thanks sebastien at clarisys.fr for the report and gautier
for the patch.

Backport of 5e2c4a4bd1 from master
2014-07-14 12:39:19 -03:00
Claude Paroz
c38e47bec0 [1.6.x] Created import-time test temp dirs in known location
Refs #17215. In the same spirit as 5de31cb8cb.
Backport of 809362518d from master.
2014-06-23 14:59:39 +02:00
Vlastimil Zíma
ef3ae3d1c9 [1.6.x] Fixed #22514 -- Prevented indexes on virtual fields [postgres].
Backport of 78c32f1caa from master
2014-06-20 19:01:49 -04:00
Erik Romijn
50a289d05f [1.6.x] Fixed #22579 -- Corrected validation for email to reject trailing slash
Backport of 424fe76349a2e34eafef13c2450a7a1f4d3115a6 from master.
2014-05-16 15:40:52 +02:00
Erik Romijn
6011075245 [1.6.x] Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
2014-05-14 10:15:06 +02:00
Aymeric Augustin
1abcf3a808 [1.6.x] Dropped fix_IE_for_vary/attach.
This is a security fix. Disclosure following shortly.
2014-05-14 10:15:06 +02:00
Aymeric Augustin
b6d3212190 [1.6.x] Fixed #22508 -- Avoided overwriting select_related.
Previously, known related objects overwrote related objects loaded
though select_related. This could cancel the effect of select_related
when it was used over more than one level.

Thanks boxm for the bug report and timo for bisecting the regression.

Conflicts:
	tests/select_related_regress/tests.py

Backport of f574220f from master
2014-05-10 17:05:09 +02:00
Anssi Kääriäinen
0e37049636 [1.6.x] Fixed #22429 -- Incorrect SQL when using ~Q and F
Backpatch of 5e1f4656b98816c96a1cc051224c1b699db480e0 from master.

Conflicts:
	django/db/models/sql/query.py
	tests/queries/models.py
	tests/queries/tests.py
2014-05-05 13:27:54 +03:00
Claude Paroz
034866204b [1.6.x] Fixed #22565 -- Prevented pgettext_lazy crash with bytestring input
Thanks ygbo for the report.
Backport of 142c27218 from master.
2014-05-02 19:38:46 +02:00
Tim Graham
6915220ff9 [1.6.x] Fixed #22486 -- Restored the ability to reverse views created using functools.partial.
Regression in 8b93b31487d6d3b0fcbbd0498991ea0db9088054.

Thanks rcoup for the report.

Backport of 3c06b2f2a3 from master
2014-04-23 08:56:13 -04:00
Erik Romijn
5f0829a27e [1.6.x] Fixed queries that may return unexpected results on MySQL due to typecasting.
This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
2014-04-21 18:30:27 -04:00
Aymeric Augustin
d63e20942f [1.6.x] Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly.

Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master
2014-04-21 18:30:27 -04:00
Tim Graham
4352a50871 [1.6.x] Fixed a remote code execution vulnerabilty in URL reversing.
Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master
2014-04-21 18:30:27 -04:00
valtron
1252b77824 [1.6.x] Fixed #21760 -- prefetch_related used an inefficient query for reverse FK.
Regression introduced by commit 9777442. Refs #21410.

Conflicts:
	tests/prefetch_related/tests.py

Backport of d3b71b976d from master
2014-04-13 01:06:03 +07:00
Aymeric Augustin
1d3d2b9a24 [1.6.x] Fixed #21202 -- Maintained atomicity when the server disconnects.
Thanks intgr for the report.

This commit doesn't include a test because I don't know how to emulate a
database disconnection in a cross-database compatible way.

Also simplified a 'backends' test that was constrained by this problem.

Backport of 81761508 from master
2014-04-10 23:22:13 +02:00
Aymeric Augustin
4ea02bdb0d [1.6.x] Fixed #21239 -- Maintained atomicity when closing the connection.
Refs #15802 -- Reverted #7c657b24 as BaseDatabaseWrapper.close() now
has a proper "finally" clause that may need to preserve self.connection.

Backport of 25860096 from master.
2014-04-10 23:22:13 +02:00
Aymeric Augustin
9afedbef42 [1.6.x] Fixed #22291 -- Avoided shadowing deadlock exceptions on MySQL.
Thanks err for the report.

Backport of 58161e4e from master.
2014-04-10 23:05:09 +02:00
Aymeric Augustin
e68c084ed1 Fixed a broken test introduced in 6fa7d7c5. Refs #21553.
Thanks Shai.
2014-04-10 07:51:04 +02:00
Shai Berger
690a5984a3 [1.6.x] Fixed #22343 -- Disallowed select_for_update in autocommit mode
The ticket was originally about two failing tests, which are
fixed by putting their queries in transactions.

Thanks Tim Graham for the report, Aymeric Augustin for the fix,
and Simon Charette, Tim Graham & Loïc Bistuer for review.

Backport of b990df1d63 from master
2014-04-10 02:15:14 +03:00
Aymeric Augustin
6fa7d7c594 [1.6.x] Fixed #21553 -- Ensured unusable database connections get closed.
Backport of 5f2f47f from master
2014-04-09 22:54:39 +02:00
Patrick Michaud
73474df954 Fixed #22256 -- Replaced bad fallback for missing PATH
Thanks Baptiste Mispelon for the review.
Backport of acee46fc9 from master.
2014-04-01 20:45:12 +02:00
Loic Bistuer
07e2a56814 [1.6.x] Fixed #22360 -- Fixed two non-deterministic tests in Python 3.4.
The order of admin's changelist filters in the querystring relied on
dict ordering.

Backport of 4d996b8e69 from master
2014-03-31 08:24:12 -04:00
Loic Bistuer
a5297c1ef4 [1.6.x] Fixed #21795 -- Made add_preserved_filters account for url prefixes.
Thanks to trac username honyczek for the report. Refs #6903.

Backport of 4339e9a92d from master
2014-03-31 07:29:08 -04:00
Tim Graham
059bc7eb60 [1.6.x] Fixed #22338 -- Fixed a test dependent on dictionary key iteration order.
Backport of 69a4f383f6 from master
2014-03-30 14:27:11 -04:00
Claude Paroz
c9b2feffee [1.6.x] Tweaked strip_tags tests to pass on Python 3.3
Backport of 6a0291bda from master.
2014-03-22 15:05:28 +01:00
Claude Paroz
f05f5c231a [1.6.x] Removed a strip_tags test for older Python versions
Django's custom HTMLParser for older Python versions cannot
parse convoluted syntax.
2014-03-22 14:21:35 +01:00
Claude Paroz
d1503afd66 [1.6.x] Improved strip_tags and clarified documentation
The fact that strip_tags cannot guarantee to really strip all
non-safe HTML content was not clear enough. Also see:
https://www.djangoproject.com/weblog/2014/mar/22/strip-tags-advisory/
Backport of 6ca6c36f8 from master.
2014-03-22 11:07:27 +01:00
Claude Paroz
1a2939bc26 [1.6.x] Fixed #22245 -- Avoided widget overwrite in forms.IntegerField subclasses
Thanks Jeroen Pulles for the report and Simon Charette for the review.
Backport of 5a976b4bec7 from master.
2014-03-13 16:59:23 +01:00
Alexey Voronov
5cda1d2702 [1.6.x] Fixed #21643 -- repeated execution of qs with F() + timedelta
Thanks Tim Graham for review and Tai Lee for the additional test to prove
this was a regression in 1.6.

Backport of 7f2485b4d1 and 8137215973 from master
2014-02-28 20:49:13 -05:00
Baptiste Mispelon
12da6902e9 [1.6.x] Fixed #22107 -- Fixed django.core.files.File object iteration.
Due to a mixup between text and bytes, iteration over
a File instance was broken under Python 3.

Thanks to trac user pdewacht for the report and patch.

Backport of 3841feee86cae65165f120db7a5d80ffc76dd520 from master.
2014-02-20 23:59:51 +01:00
Roger Hu
9a446211bd [1.6.x] Fixed #21566 -- Fixed AttributeError when using bulk_create with ForeignObject.
Backport of bbc73e6a12 from master.
2014-02-14 20:57:32 -05:00
Tim Graham
32a880ae95 [1.6.x] Added a missing import in staticfiles tests. 2014-02-13 08:03:43 -05:00
Loic Bistuer
d6db48e5f6 [1.6.x] Reworked the detection of local storages for the collectstatic command.
Before 4befb30 the detection was broken because we used isinstance
against a LazyObject rather than against a Storage class. That commit
fixed it by looking directly at the object wrapped by LazyObject.
This could however be a problem to anyone who subclasses the
collectstatic management Command and directly supplies a Storage class.

Refs #21581.

Backport of 7e27885c6e7588471fd94a4def16b7081577bdfc from master.
2014-02-12 11:05:07 -05:00
Baptiste Mispelon
8864d24789 [1.6.x] Revert "Fixed #20296 -- Allowed SafeData and EscapeData to be lazy"
This reverts commit 2ee447fb5f8974b432d3dd421af9a242215aea44.

That commit introduced a regression (#21882) and didn't really
do what it was supposed to: while it did delay the evaluation
of lazy objects passed to mark_safe(), they weren't actually
marked as such so they could end up being escaped twice.

Refs #21882.

Backport of a878bf9b093bf15d751b070d132fec52a7523a47 from master.
2014-02-05 21:32:17 +01:00