On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
The system check "admin.E410" was already checking for this, but the
requirement was not listed in docs/ref/contrib/admin/index.txt.
Backport of f8ef4579ea710f93ec7edc93c6f3f216bd55d6be from main.
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.
Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.
Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
Partially reverts 0b33a3abc2ca7d68a24f6d0772bc2b9fa603744e.
Storage.exists(name) was documented to "return False if
the name is available for a new file." but return True if
the file exists. This is ambiguous in the overwrite file
case. It will now always return whether the file exists.
Thank you to Natalia Bidart and Josh Schneier for the
review.
Backport of 8d6a20b656ff3fa18e36954668a44a831c2f6ddd from main.
Follow-up to 65ad4ade74dc9208b9d686a451cd6045df0c9c3a which added
counterintuitive to the wordlist. Removes unneeded (antiquated)
hyphenated usages.
See e.g. https://www.merriam-webster.com/dictionary/counterintuitive
Backport of 704192e478885762411252979021771ba23b8adb from main.
Previously, `-1` was converted to `"-1th"`. This has been updated to
return negative numbers "as is", so that for example `-1` is
converted to `"-1"`. This is now explicit in the docs.
Co-authored-by: Martin Jonson <artin.onson@gmail.com>
Backport of d3a7ed5bcc45000a6c3dd55d85a4caaa83299f83 from main.
Co-authored-by: Adam Johnson <me@adamj.eu>
Co-authored-by: Mehmet İnce <mehmet@mehmetince.net>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
This work improves the accessibility of the add and change pages in the
admin site by adding <details> and <summary> elements to the collapsible
fieldsets. This has the nice side effect of no longer requiring custom
JavaScript helpers to implement the fieldsets' show/hide capabilities.
Thanks to James Scholes for the accessibility advice, and to Sarah Boyce
and Tom Carrick for reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
This also introduces Expression.constraint_validation_compatible that
allows specifying that expression should be ignored during a constraint
validation.
Known issues have been fixed in:
- 0d8fbe2ade29f1b7bd9e6ba7a0281f5478603a43,
- c991602ce5798385261381025c06698d7fd30dc5, and
- 26aae5614487f58ddb1df5726224393887373ecd.
