1
0
mirror of https://github.com/django/django.git synced 2025-01-18 14:24:39 +00:00

560 Commits

Author SHA1 Message Date
Shai Berger
3394fc6132 [5.0.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words().
Thanks Seokchan Yoon for the report.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2024-03-04 08:22:40 +01:00
Mariusz Felisiak
0379e7532f [5.0.x] Applied Black's 2024 stable style.
https://github.com/psf/black/releases/tag/24.1.0

Backport of 305757aec19c9d5111e4d76095ae0acd66163e4b from main
2024-01-26 12:55:56 +01:00
Nick Pope
bbe90f3c00 [5.0.x] Refs #34899 -- Extracted Field.flatchoices to flatten_choices helper function.
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>

Backport of 74afcee234f8be989623ccc7c28b9fb97fb548f0 from main
2023-10-23 14:53:13 -03:00
Nick Pope
711c054722 [5.0.x] Refs #31262 -- Added __eq__() and __getitem__() to BaseChoiceIterator.
This makes it easier to work with lazy iterators used for callables,
etc. when extracting items or comparing to lists, e.g. during testing.

Also added `BaseChoiceIterator.__iter__()` to make it clear that
subclasses must implement this and added `__all__` to the module.

Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Natalia Bidart <124304+nessita@users.noreply.github.com>

Backport of 07fa79ef2bb3e8cace7bd87b292c6c85230eed05 from main
2023-10-23 14:51:27 -03:00
Natalia
8124c42601 [5.0.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
2023-10-04 09:38:26 -03:00
Mariusz Felisiak
3f41d6d629 Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-09-04 11:58:37 +02:00
Nick Pope
500e01073a
Fixed #31262 -- Added support for mappings on model fields and ChoiceField's choices. 2023-08-30 22:57:40 -03:00
sarahboyce
f6ed2c36dd Fixed #34787 -- Fixed autoreloader crash when run from installed script on Windows. 2023-08-28 12:57:14 +02:00
konsti
48a1929ca0
Removed unnecessary trailing commas in tests. 2023-08-22 12:42:57 +02:00
Mariusz Felisiak
4c85d94bc0
Fixed utils_tests.test_lazyobject.SimpleLazyObjectPickleTestCase.
SimpleLazyObjectPickleTestCase executes database queries so it must
inherit from django.test.TestCase.
2023-08-20 16:09:07 +02:00
Mariusz Felisiak
4afaeb14c2
Refs #30116 -- Simplified tests related with dictionary order.
Dicts preserve order since Python 3.6.
2023-07-12 11:06:59 +02:00
Nick Pope
e042024b28 Allowed custom formatting of lazy() objects.
This allows for formatting of lazy objects which have a custom formatter
defined by overriding the default implementation from `object`.
2023-06-12 06:09:20 +02:00
Nick Pope
fd97b0471b Allowed multiplication of lazy() objects with int return type. 2023-06-12 05:59:40 +02:00
Ran Benita
ae94077e7d Made proxy class in lazy() prepare eagerly.
Previously, the proxy class was prepared lazily:

  lazy_identity = lazy(identity, int)
  lazy_identity(10)  # prepared here
  lazy_identity(10)

This has a slight advantage that if the lazy doesn't end up getting
used, the preparation work is skipped, however that's not very likely.

Besides this laziness, it is also inconsistent in that the methods which
are wrapped directly (__str__ etc.) are prepared already when __proxy__
is defined, and there is a weird half-initialized state.

This change it so that everything is prepared already on the first line
of the example above.
2023-06-12 05:45:44 +02:00
Nick Pope
e0e0204477 Added more tests for django.utils.functional.lazy(). 2023-06-12 05:29:30 +02:00
Ran Benita
a57d5d9bbc Made bytes and str return types no longer mutually exclusive in lazy().
They are no longer special cased.
2023-06-08 09:15:40 +02:00
Ran Benita
f5817c24f4 Refs #34445 -- Fixed string-casting of non-string lazy objects when value may be bytes.
If the result type is bytes, then calling bytes() on it does nothing.

If the result type is not bytes, we should not cast to bytes, just
because the return value may be bytes.
2023-06-08 06:38:11 +02:00
devilsautumn
094b0bea2c Fixed #34609 -- Deprecated calling format_html() without arguments. 2023-06-06 14:14:57 +02:00
Mariusz Felisiak
fc9c90d9c4
Refs #34118 -- Fixed FunctionalTests.test_cached_property_reuse_different_names() on Python 3.12+.
Python 3.12+ no longer wraps exceptions in __set_name__, see
55c99d97e1
2023-05-23 12:56:33 +02:00
Mariusz Felisiak
198a19b692
Refs #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates on different days and interval less than 1 day.
Follow up to 813015d67e2557fa859a07930a9becec4e5f64a0.
Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
2023-04-14 17:41:03 +02:00
nessita
813015d67e
Fixed #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates and interval less than 1 day.
Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.

Thanks Lorenzo Peña for the report.
2023-04-13 13:16:33 -03:00
Ran Benita
066aabcb77 Fixed #34445 -- Fixed string-casting of non-string lazy objects.
This removes __text_cast() as it's the same as __cast().
_delegate_bytes and __delegate_text are mutually exclusive so the
`if self._delegate_bytes` branch in __cast() is unreachable.

Co-Authored-By: David Sanders <shang.xiao.sanders@gmail.com>
2023-03-30 11:42:10 +02:00
Marcelo Galigniana
f9f0092346 Completed test coverage for django.utils.datastructures. 2023-02-15 07:45:00 +01:00
David Smith
097e3a70c1 Refs #33476 -- Applied Black's 2023 stable style.
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.

https://github.com/psf/black/releases/tag/23.1.0
2023-02-01 11:04:38 +01:00
Nick Pope
1282b5e420 Fixed #32528 -- Replaced django.utils.topological_sort with graphlib.TopologicalSort().
graphlib.TopologicalSort() is available since Python 3.9.
2023-01-19 06:31:40 +01:00
Mariusz Felisiak
3bbe22dafc
Fixed #34233 -- Dropped support for Python 3.8 and 3.9. 2023-01-18 09:46:01 +01:00
Mariusz Felisiak
5c10041f46 Refs #30127 -- Removed name argument for django.utils.functional.cached_property().
Per deprecation timeline.
2023-01-17 11:49:15 +01:00
Mariusz Felisiak
2fad163257 Refs #32365 -- Removed is_dst argument for various methods and functions.
Per deprecation timeline.
2023-01-17 11:49:15 +01:00
Mariusz Felisiak
e6f82438d4 Refs #32365 -- Removed support for pytz timezones per deprecation timeline. 2023-01-17 11:49:15 +01:00
Mariusz Felisiak
4aa0689080 Refs #32738 -- Removed django.utils.datetime_safe module per deprecation timeline. 2023-01-17 11:49:15 +01:00
Mariusz Felisiak
ef46f3778a Refs #32712 -- Removed django.utils.baseconv module per deprecation timeline. 2023-01-17 11:49:15 +01:00
sag᠎e
8cf3831822
Fixed #34243 -- Fixed timesince() crash with timezone-aware dates and interval longer than 1 month.
Regression in 8d67e16493c903adc9d049141028bc0fff43f8c8.
2023-01-05 16:38:19 +01:00
Nick Pope
65477fd7da Added support for datetime.date to DateFormat.r(). 2023-01-05 12:51:55 +01:00
GianpaoloBranca
8d67e16493
Fixed #33879 -- Improved timesince handling of long intervals. 2023-01-04 11:14:06 +01:00
Alex Vandiver
cbce427c17 Fixed #34194 -- Added django.utils.http.content_disposition_header(). 2022-12-05 13:08:00 +01:00
Nick Pope
9bd174b9a7 Updated documentation and comments for RFC updates.
- Updated references to RFC 1123 to RFC 5322
  - Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
  - Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
2022-11-10 13:52:17 +01:00
Jimmy Angelakos
07ebef566f Refs #34000 -- Optimized handling None values in numberformat.format(). 2022-09-12 13:02:50 +02:00
Jimmy Angelakos
e911e0996f Fixed #34000 -- Fixed numberformat.format() crash on empty strings. 2022-09-12 12:54:12 +02:00
Carlton Gibson
e34dfad0a3 Refs #30213 -- Removed post-startup check for Watchman availability.
This is checked at startup in get_reloader(). The runtime check ties
the implementation to Watchman excessively.
2022-08-11 11:02:03 +02:00
Nick Pope
ddf0002bb7 Refs #32948 -- Renamed Node._new_instance() to Node.create().
Node._new_instance() was added in
6dd2b5468fa275d53aa60fdcaff8c28bdc5e9c25 to work around Q.__init__()
having an incompatible signature with Node.__init__().

It was intended as a hook that could be overridden if subclasses needed
to change the behaviour of instantiation of their specialised form of
Node. In practice this doesn't ever seem to have been used for this
purpose and there are very few calls to Node._new_instance() with other
code, e.g. Node.__deepcopy__() calling Node and overriding __class__ as
required.

Rename this to Node.create() to make it a more "official" piece of
private API that we can use to simplify a lot of other areas internally.

The docstring and nearby comment have been reworded to read more
clearly.
2022-07-27 10:06:24 +02:00
Nick Pope
cc52e02c96 Refs #32948 -- Added more tests for django.utils.tree.Node.
The tests for creating new instances or copying instances of Node and
its subclasses didn't fully capture the behaviour of the implementation,
particularly around whether the `children` list or is contents were the
same as the source.
2022-07-27 07:58:29 +02:00
Nick Pope
769d7cce4a Used AND, OR, XOR constants instead of hard-coded values. 2022-07-27 07:55:09 +02:00
Michael Manfre
03eec9ff6c Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
2022-07-01 08:48:38 +02:00
Hrushikesh Vaidya
72e41a0df6 Fixed #33779 -- Allowed customizing encoder class in django.utils.html.json_script(). 2022-06-28 10:54:38 +02:00
Mehrdad
d4d5427571 Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Carlton Gibson
34e2148fc7 Refs #33173 -- Removed use of deprecated cgi module.
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
Mariusz Felisiak
439cd73c16
Refs #33173 -- Fixed test_dateparse tests on Python 3.11+.
date/datetime/time.fromisoformat() support any valid ISO 8601 format
in Python 3.11+, see https://github.com/python/cpython/issues/80010.
2022-05-09 10:38:11 +02:00
Carlton Gibson
bb61f0186d Refs #32365 -- Removed internal uses of utils.timezone.utc alias.
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
2022-03-24 06:29:50 +01:00
Florian Apolloner
4f92cf87b0 Prevented initialization of unused database connections. 2022-03-17 07:40:57 +01:00
Adam Johnson
a45f28f0ec Rewrote strip_tags test file to lorem ipsum. 2022-03-08 14:50:06 +01:00