mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-25 16:50:45 +00:00
Code Issues 32 Releases Wiki Activity
31,736 Commits 29 Branches 438 Tags
Commit Graph

4554 Commits

Author SHA1 Message Date
Natalia
5211677454 [4.2.x] Added CVE-2024-45230 and CVE-2024-45231 to security archive. 
Backport of aa5293068782dfa2d2173c75c8477f58a9989942 from main.
 2024-09-03 11:25:06 -03:00
Natalia
bf4888d317 [4.2.x] Fixed CVE-2024-45231 -- Avoided server error on password reset when email sending fails. 
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.

Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
 2024-09-03 09:42:25 -03:00
Sarah Boyce
d147a8ebbd [4.2.x] Fixed CVE-2024-45230 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
 2024-09-03 09:42:15 -03:00
Natalia
705066d186 [4.2.x] Fixed grammatical error in stub release notes for upcoming security release. 
Backport of b941de340daed4ce88f04a8012b9dba00ccb1359 from main.
 2024-08-27 09:52:50 -03:00
Natalia
b07d4f2dea [4.2.x] Added stub release notes and release date for 4.2.16. 
Backport of 67efd42517af0faf24872df4295b39e98ce826af from main.
 2024-08-27 09:37:37 -03:00
Sarah Boyce
e0579ce277 [4.2.x] Added CVE-2024-41989, CVE-2024-41990, CVE-2024-41991, and CVE-2024-42005 to security archive. 
Backport of fdc638bf4a35b5497d0b3b4faedaf552da792f99 from main.
 2024-08-06 17:33:37 +02:00
Simon Charette
f4af67b9b4 [4.2.x] Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields. 
Thanks Eyal (eyalgabay) for the report.
 2024-07-31 16:12:35 +02:00
Mariusz Felisiak
efea1ef7e2 [4.2.x] Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget. 
Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2024-07-31 16:12:23 +02:00
Sarah Boyce
d0a82e26a7 [4.2.x] Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 
Thanks to MProgrammer for the report.
 2024-07-31 16:12:11 +02:00
Sarah Boyce
fc76660f58 [4.2.x] Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat. 
Thanks Elias Myllymäki for the report.

Co-authored-by: Shai Berger <shai@platonix.com>
 2024-07-31 16:11:59 +02:00
Sarah Boyce
7b1a76f899 [4.2.x] Added stub release notes and release date for 4.2.15. 
Backport of 3f880890699d4412cf23b59dba425111f62afb3a from main.
 2024-07-31 11:29:30 +02:00
Lorenzo Peña
96a3497400 [4.2.x] Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant(). 
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.

Regression in 9e9792228a6bb5d6402a5d645bc3be4cf364aefb.

Backport of 0e94f292cda632153f2b3d9a9037eb0141ae9c2e from main.
 2024-07-25 09:44:51 +02:00
Natalia
8e59e33400 [4.2.x] Added CVE-2024-38875, CVE-2024-39329, CVE-2024-39330, and CVE-2024-39614 to security archive. 
Backport of e095c7612d49dbe371e9c7edd76ba99b6bc4f9f6 from main.
 2024-07-09 12:00:22 -03:00
Sarah Boyce
17358fb35f [4.2.x] Fixed CVE-2024-39614 -- Mitigated potential DoS in get_supported_language_variant(). 
Language codes are now parsed with a maximum length limit of 500 chars.

Thanks to MProgrammer for the report.
 2024-07-09 10:40:50 -03:00
Natalia
2b00edc015 [4.2.x] Fixed CVE-2024-39330 -- Added extra file name validation in Storage's save method. 
Thanks to Josh Schneier for the report, and to Carlton Gibson and Sarah
Boyce for the reviews.
 2024-07-09 10:40:48 -03:00
Michael Manfre
156d3186c9 [4.2.x] Fixed CVE-2024-39329 -- Standarized timing of verify_password() when checking unusuable passwords. 
Refs #20760.

Thanks Michael Manfre for the fix and to Adam Johnson for the review.
 2024-07-09 10:40:46 -03:00
Adam Johnson
79f3687642 [4.2.x] Fixed CVE-2024-38875 -- Mitigated potential DoS in urlize and urlizetrunc template filters. 
Thank you to Elias Myllymäki for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2024-07-09 10:40:37 -03:00
Natalia
446cdab134 [4.2.x] Added stub release notes for 4.2.14. 2024-07-03 14:18:28 -03:00
Sarah Boyce
b46b94e66c [4.2.x] Added release notes for 4.2.13. 
Backport of 90175e110e7cfcf07f4ccdaadc45d7ed6302ce00 from main.
 2024-05-07 17:35:16 +02:00
Sarah Boyce
3f9c8fc1f9 [4.2.x] Added release date for 4.2.12. 
Backport of 34a503162fe222033a1cd3249bccad014fcd1d20 from main.
 2024-05-06 14:44:17 +02:00
Sarah Boyce
256f719cb3 [4.2.x] Reverted "Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class unconditionally in Admin." 
This reverts commit 0fc832676cd585fa420d583937b5b2318bc2c629.
 2024-04-19 13:29:30 +02:00
Adam Johnson
0fc832676c [4.2.x] Fixed #34994, Fixed #35386 -- Applied checkbox-row CSS class unconditionally in Admin. 
Backport of bdd76c4c3817d8e3ed5b0450d5e18e4eae096f16 from main.
 2024-04-19 11:28:02 +02:00
Natalia
1d85b416aa [4.2.x] Refs #35361 -- Clarified release notes for 4.2.12. 
Backport of cd823778e66307b82469858cfd8d1aa75613b49a from main.
 2024-04-12 15:07:36 +02:00
Natalia
27c32cc991 [4.2.x] Fixed #35361 -- Added release notes for 4.2.12 for backport of b231bcd19e57267ce1fc21d42d46f0b65fdcfcf8. 
Backport of 42435fc55cbf7c04c1389ee46cc50e2565b40e37 from main.
 2024-04-10 18:29:33 +02:00
Mariusz Felisiak
a76c52b19a [4.2.x] Added CVE-2024-27351 to security archive. 
Backport of da39ae4b5f056a332b5c48402a2ae11767e7d577 from main
 2024-03-04 10:12:58 +01:00
Shai Berger
3c9a2771cc [4.2.x] Fixed CVE-2024-27351 -- Prevented potential ReDoS in Truncator.words(). 
Thanks Seokchan Yoon for the report.

Co-Authored-By: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2024-03-04 08:36:56 +01:00
Mariusz Felisiak
7973951139 [4.2.x] Added release date for 4.2.11 and 3.2.25. 
Backport of 977d25416954a72ad100b01762078bf1ceb89a63 from main
 2024-02-26 08:29:04 +01:00
Mariusz Felisiak
cb173bb088 [4.2.x] Fixed #35172 -- Fixed intcomma for string floats. 
Thanks Warwick Brown for the report.

Regression in 55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9.

Backport of 2f14c2cedc9c92373471c1f98a80c81ba299584a from main.
 2024-02-08 11:00:36 +01:00
Natalia
227ef29cff [4.2.x] Added CVE-2024-24680 to security archive. 
Backport of c650c1412d1933e339cc93f9b6745c3eedb1c25b from main
 2024-02-06 12:16:50 -03:00
Adam Johnson
572ea07e84 [4.2.x] Fixed CVE-2024-24680 -- Mitigated potential DoS in intcomma template filter. 
Thanks Seokchan Yoon for the report.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Co-authored-by: Shai Berger <shai@platonix.com>
 2024-02-06 09:56:20 -03:00
Natalia
74582b8d11 [4.2.x] Added stub release notes for 4.2.10 and 3.2.24. 
Backport of 06d0a1bd56a9899c351ca047a05813e8dd6a4e17 from main
 2024-01-29 12:09:52 -03:00
Mariusz Felisiak
0a4c5e56b4 [4.2.x] Added release date for 4.2.9. 
Backport of f82a2c3b3d553f36661cfdce5261bffb669d68a9 from main.
 2024-01-02 09:59:12 +01:00
Tom Carrick
ca43990813 [4.2.x] Fixed #35012 -- Restored wrapping admin fieldsets with multiple fields per line. 
Thanks James Gillard for the report.

Regression in 729266c6f29c7a0677b24926a86a767ef3078b26.

Backport of 4aae864463b149393a36e0b18345cf6ed392634d from main
 2023-12-13 12:34:53 +01:00
Mariusz Felisiak
d9ba0ea6cb [4.2.x] Added stub release notes for 4.2.9. 
Backport of 464af0975cac6abc46b3e5c3305194c958fc465b from main
 2023-12-05 06:12:20 +01:00
Mariusz Felisiak
52e28e5fbf [4.2.x] Added release date for 4.2.8. 
Backport of 8fcb9f1f106cf60d953d88aeaa412cc625c60029 from main
 2023-12-04 09:25:56 +01:00
Mariusz Felisiak
6e2d9f0aa8 [4.2.x] Fixed #35006 -- Fixed migrations crash when altering Meta.db_table_comment on SQLite. 
Thanks Юрий for the report.

Regression in 78f163a4fb3937aca2e71786fbdd51a0ef39629e.
Backport of 37fc832a54ad37e75a898a2c8f9ab0820617c4af from main
 2023-11-30 10:11:28 +01:00
Tom Carrick
bd0ea8c2ba [4.2.x] Fixed #34982 -- Fixed admin's read-only password widget and help texts alignment for tablet screen size. 
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>

Backport of 729266c6f29c7a0677b24926a86a767ef3078b26 from main
 2023-11-27 15:20:59 -03:00
Mariusz Felisiak
cdb14cc18b [4.2.x] Fixed #34978, Refs #31331 -- Added backward incompatibility note about raw aggregations on MySQL. 
Thanks Matthew Somerville for the report.

Backport of a652f0759651dd7103ed04336ef85dc410f680c1 from main
 2023-11-27 12:44:18 -03:00
Nathaniel Conroy
450d518d2f [4.2.x] Fixed #34992 -- Fixed DatabaseFeatures.allows_group_by_selected_pks on MariaDB with ONLY_FULL_GROUP_BY sql mode. 
Regression in 041551d716b69ee7c81199eee86a2d10a72e15ab.

Backport of 0257426fe1fe9d146fd5813f09d909917ff59360 from main.
 2023-11-27 10:35:56 +01:00
Tom Carrick
bac9e94ace [4.2.x] Fixed #34994 -- Fixed checkbox layout in admin's change page for narrow screen widths. 
Regression in d687febce5868545f99974d2499a91f81a32fef5.

Backport of a89c715c3bcf7ab1a90747cf8658ebce6304b6e4 from main
 2023-11-23 16:57:21 -03:00
Tom Carrick
3d943c4f55 [4.2.x] Fixed #34991 -- Fixed pagination links and input layout in admin's change list page when using list_editable. 
Regression in b4817d20b9e55df30be0b1b2ca8c8bb6d61aab07.

Thanks Tom Carrick for the report and fix.

Backport of 4eb9c3d90aff55182151b6be0122f7d0b28832fd from main
 2023-11-23 10:22:34 -03:00
Simon Charette
cf95de9d24 [4.2.x] Fixed #34987 -- Fixed queryset crash when mixing aggregate and window annotations. 
Regression in f387d024fc75569d2a4a338bfda76cc2f328f627.

Just like `OrderByList` the `ExpressionList` expression used to wrap
`Window.partition_by` must implement `get_group_by_cols` to ensure the
necessary grouping when mixing window expressions with aggregate
annotations is performed against the partition members and not the
partition expression itself.

This is necessary because while `partition_by` is implemented as
a source expression of `Window` it's actually a fragment of the WINDOW
expression at the SQL level and thus it should result in a group by its
members and not the sum of them.

Thanks ElRoberto538 for the report.
Backport of e76cc93b0168fa3abbafb9af1ab4535814b751f0 from main
 2023-11-23 06:10:24 +01:00
Mariusz Felisiak
9afeb6b9b6 [4.2.x] Refs #34118 -- Doc'd Python 3.12 compatibility in Django 4.2.x. 
Backport of ecfea054ee2b8ddfa027459ff8b6aecba05facf7 from main.
 2023-11-19 16:38:33 +01:00
Simon Charette
acf4cee951 [4.2.x] Fixed #34975 -- Fixed crash of conditional aggregate() over aggregations. 
Adjustments made to solve_lookup_type to defer the resolving of
references for summarized aggregates failed to account for similar
requirements for lookup values which can also reference annotations
through Aggregate.filter.

Regression in b181cae2e3697b2e53b5b67ac67e59f3b05a6f0d.

Refs #25307.

Thanks Sergey Nesterenko for the report.

Backport of 7530cf3900ab98104edcde69e8a2a415e82b345a from main
 2023-11-18 16:53:24 +01:00
Adam Johnson
90c3d71dfe [4.2.x] Fixed #34457 -- Restored output for makemigrations --check. 
Co-authored-by: David Sanders <shang.xiao.sanders@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>

Backport of f7389c4b07ceeb036436e065898e411b247bca78 from main
 2023-11-09 11:05:54 -03:00
Mariusz Felisiak
ce44eaf6d0 [4.2.x] Added stub release notes for 4.2.8. 
Backport of 36173cf29d6ad0b0f0cd24326834dddfff2db7f3 from main
 2023-11-01 08:25:36 +01:00
Mariusz Felisiak
e4c9703ec6 [4.2.x] Added CVE-2023-46695 to security archive. 
Backport of 7caf2621833a45cdfe7e6e305e4885ecc8d79744 from main
 2023-11-01 08:17:50 +01:00
Mariusz Felisiak
048a9ebb6e [4.2.x] Fixed CVE-2023-46695 -- Fixed potential DoS in UsernameField on Windows. 
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
 2023-11-01 06:19:20 +01:00
Tom Carrick
109f39a38b [4.2.x] Fixed #34932 -- Restored varchar_pattern_ops/text_pattern_ops index creation when deterministic collaction is set. 
Regression in f3f9d03edf17ccfa17263c7efa0b1350d1ac9278 (4.2) and
8ed25d65ea7546fafd808086fa07e7e5bb5428fc (5.0).

Backport of 34b411762b50883d768d7b67e0a158ec39da8b09 from main.
 2023-10-30 11:14:08 +01:00
Mariusz Felisiak
0cd8b867a0 [4.2.x] Added stub release notes and release date for 4.2.7, 4.1.13, and 3.2.23. 
Backport of fdd1323b9c83e56184e0c992af8faf8d54327775 from main
 2023-10-25 05:43:24 +02:00