1
0
mirror of https://github.com/django/django.git synced 2025-10-25 14:46:09 +00:00
Commit Graph

536 Commits

Author SHA1 Message Date
Natalia
be9c27c4d1 [4.2.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
2023-10-04 09:39:49 -03:00
Mariusz Felisiak
9c51b4dcfa [4.2.x] Fixed CVE-2023-41164 -- Fixed potential DoS in django.utils.encoding.uri_to_iri().
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.

Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
2023-09-04 12:05:35 +02:00
Mariusz Felisiak
bf5249fc8e [4.2.x] Refs #34118 -- Fixed FunctionalTests.test_cached_property_reuse_different_names() on Python 3.12+.
Python 3.12+ no longer wraps exceptions in __set_name__, see
55c99d97e1
Backport of fc9c90d9c4 from main
2023-05-23 12:58:32 +02:00
Mariusz Felisiak
f75a6977e4 [4.2.x] Refs #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates on different days and interval less than 1 day.
Follow up to 813015d67e.
Regression in 8d67e16493.
Backport of 198a19b692 from main
2023-04-14 17:42:33 +02:00
Mariusz Felisiak
cd464fbc3a [4.2.x] Refs #34483 -- Fixed utils_tests.test_timesince crash on Python 3.8. 2023-04-14 06:10:31 +02:00
nessita
a3c14ea61b [4.2.x] Fixed #34483 -- Fixed timesince()/timeuntil() with timezone-aware dates and interval less than 1 day.
Regression in 8d67e16493.

Thanks Lorenzo Peña for the report.

Backport of 813015d67e from main
2023-04-13 13:20:16 -03:00
David Smith
80aae83439 [4.2.x] Refs #33476 -- Applied Black's 2023 stable style.
Black 23.1.0 is released which, as the first release of the year,
introduces the 2023 stable style. This incorporates most of last year's
preview style.

https://github.com/psf/black/releases/tag/23.1.0

Backport of 097e3a70c1 from main
2023-02-01 11:37:29 +01:00
sag᠎e
8cf3831822 Fixed #34243 -- Fixed timesince() crash with timezone-aware dates and interval longer than 1 month.
Regression in 8d67e16493.
2023-01-05 16:38:19 +01:00
Nick Pope
65477fd7da Added support for datetime.date to DateFormat.r(). 2023-01-05 12:51:55 +01:00
GianpaoloBranca
8d67e16493 Fixed #33879 -- Improved timesince handling of long intervals. 2023-01-04 11:14:06 +01:00
Alex Vandiver
cbce427c17 Fixed #34194 -- Added django.utils.http.content_disposition_header(). 2022-12-05 13:08:00 +01:00
Nick Pope
9bd174b9a7 Updated documentation and comments for RFC updates.
- Updated references to RFC 1123 to RFC 5322
  - Only partial as RFC 5322 sort of sub-references RFC 1123.
- Updated references to RFC 2388 to RFC 7578
  - Except RFC 2388 Section 5.3 which has no equivalent.
- Updated references to RFC 2396 to RFC 3986
- Updated references to RFC 2616 to RFC 9110
- Updated references to RFC 3066 to RFC 5646
- Updated references to RFC 7230 to RFC 9112
- Updated references to RFC 7231 to RFC 9110
- Updated references to RFC 7232 to RFC 9110
- Updated references to RFC 7234 to RFC 9111
- Tidied up style of text when referring to RFC documents
2022-11-10 13:52:17 +01:00
Jimmy Angelakos
07ebef566f Refs #34000 -- Optimized handling None values in numberformat.format(). 2022-09-12 13:02:50 +02:00
Jimmy Angelakos
e911e0996f Fixed #34000 -- Fixed numberformat.format() crash on empty strings. 2022-09-12 12:54:12 +02:00
Carlton Gibson
e34dfad0a3 Refs #30213 -- Removed post-startup check for Watchman availability.
This is checked at startup in get_reloader(). The runtime check ties
the implementation to Watchman excessively.
2022-08-11 11:02:03 +02:00
Nick Pope
ddf0002bb7 Refs #32948 -- Renamed Node._new_instance() to Node.create().
Node._new_instance() was added in
6dd2b5468f to work around Q.__init__()
having an incompatible signature with Node.__init__().

It was intended as a hook that could be overridden if subclasses needed
to change the behaviour of instantiation of their specialised form of
Node. In practice this doesn't ever seem to have been used for this
purpose and there are very few calls to Node._new_instance() with other
code, e.g. Node.__deepcopy__() calling Node and overriding __class__ as
required.

Rename this to Node.create() to make it a more "official" piece of
private API that we can use to simplify a lot of other areas internally.

The docstring and nearby comment have been reworded to read more
clearly.
2022-07-27 10:06:24 +02:00
Nick Pope
cc52e02c96 Refs #32948 -- Added more tests for django.utils.tree.Node.
The tests for creating new instances or copying instances of Node and
its subclasses didn't fully capture the behaviour of the implementation,
particularly around whether the `children` list or is contents were the
same as the source.
2022-07-27 07:58:29 +02:00
Nick Pope
769d7cce4a Used AND, OR, XOR constants instead of hard-coded values. 2022-07-27 07:55:09 +02:00
Michael Manfre
03eec9ff6c Updated vendored _urlsplit() to strip newline and tabs.
Refs Python CVE-2022-0391. Django is not affected, but others who
incorrectly use internal function url_has_allowed_host_and_scheme()
with unsanitized input could be at risk.
2022-07-01 08:48:38 +02:00
Hrushikesh Vaidya
72e41a0df6 Fixed #33779 -- Allowed customizing encoder class in django.utils.html.json_script(). 2022-06-28 10:54:38 +02:00
Mehrdad
d4d5427571 Refs #33697 -- Used django.utils.http.parse_header_parameters() for parsing boundary streams.
This also removes unused parse_header() and _parse_header_params()
helpers in django.http.multipartparser.
2022-06-28 09:42:47 +02:00
Carlton Gibson
34e2148fc7 Refs #33173 -- Removed use of deprecated cgi module.
https://peps.python.org/pep-0594/#cgi
2022-05-11 14:06:31 +02:00
Mariusz Felisiak
439cd73c16 Refs #33173 -- Fixed test_dateparse tests on Python 3.11+.
date/datetime/time.fromisoformat() support any valid ISO 8601 format
in Python 3.11+, see https://github.com/python/cpython/issues/80010.
2022-05-09 10:38:11 +02:00
Carlton Gibson
bb61f0186d Refs #32365 -- Removed internal uses of utils.timezone.utc alias.
Remaining test case ensures that uses of the alias are mapped
canonically by the migration writer.
2022-03-24 06:29:50 +01:00
Florian Apolloner
4f92cf87b0 Prevented initialization of unused database connections. 2022-03-17 07:40:57 +01:00
Adam Johnson
a45f28f0ec Rewrote strip_tags test file to lorem ipsum. 2022-03-08 14:50:06 +01:00
Mariusz Felisiak
d4fd31684a Refs #33173 -- Used locale.getlocale() instead of getdefaultlocale().
locale.getdefaultlocale() was deprecated in Python 3.11, see
https://bugs.python.org/issue46659.
2022-03-08 13:17:05 +01:00
Theo Alexiou
659d2421c7 Fixed #20296 -- Prevented mark_safe() from evaluating lazy objects. 2022-02-21 10:11:26 +01:00
Matthias Kestenholz
b2ed0d78f2 Refs #28358 -- Fixed infinite recursion in LazyObject.__getattribute__().
Regression in 97d7990abd.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Co-authored-by: Theo Alexiou <theofilosalexiou@gmail.com>
2022-02-17 14:52:17 +01:00
Theo Alexiou
97d7990abd Fixed #28358 -- Prevented LazyObject from mimicking nonexistent attributes.
Thanks Sergey Fedoseev for the initial patch.
2022-02-16 10:51:15 +01:00
Theo Alexiou
f9ec777a82 Fixed #26287 -- Added support for addition operations to SimpleLazyObject. 2022-02-10 11:24:51 +01:00
Mariusz Felisiak
7119f40c98 Refs #33476 -- Refactored code to strictly match 88 characters line length. 2022-02-07 20:37:05 +01:00
django-bot
9c19aff7c7 Refs #33476 -- Reformatted code with Black. 2022-02-07 20:37:05 +01:00
Keryn Knight
55022f75c1 Fixed #33465 -- Added empty __slots__ to SafeString and SafeData.
Despite inheriting from the str type, every SafeString instance gains
an empty __dict__ due to the normal, expected behaviour of type
subclassing in Python.

Adding __slots__ to SafeData is necessary, because otherwise inheriting
from that (as SafeString does) will give it a __dict__ and negate the
benefit added by modifying SafeString.
2022-01-29 13:50:34 +01:00
Ad Timmering
bdf3e156b4 Fixed #28628 -- Changed \d to [0-9] in regexes where appropriate. 2022-01-07 12:25:06 +01:00
Allen Jonathan David
205f67cd5b Refs #33216 -- Made @deconstructible do not change path for subclasses. 2022-01-04 13:15:29 +01:00
Allen Jonathan David
194ca77092 Refs #21275 -- Added more tests for @deconstructible decorator. 2022-01-04 13:08:36 +01:00
mendespedro
4fd3044ca0 Fixed #33368 -- Fixed parse_duration() crash on invalid separators for decimal fractions. 2021-12-20 06:46:34 +01:00
mgaligniana
068b2c072b Fixed #30127 -- Deprecated name argument of cached_property(). 2021-12-16 18:52:27 +01:00
Florian Apolloner
e1d673c373 Fixed unescape_string_literal() crash on empty strings. 2021-12-14 20:19:44 +01:00
Florian Apolloner
5d9c512e5b Added test for ValueErrors in unescape_string_literal(). 2021-12-14 20:18:43 +01:00
Mariusz Felisiak
5def7f3f74 Updated various links to HTTPS and new locations.
Co-Authored-By: Nick Pope <nick@nickpope.me.uk>
2021-12-02 11:27:29 +01:00
Baptiste Mispelon
e6e664a711 Fixed #33302 -- Made element_id optional argument for json_script template filter.
Added versionchanged note in documentation
2021-11-22 11:52:19 +01:00
Chenyang Yan
36d54b7a14 Fixed #33027 -- Made autoreloader pass -X options. 2021-09-29 11:37:50 +02:00
Mariusz Felisiak
f1bcaa9be8 Refs #32074 -- Fixed find_module()/find_loader() warnings on Python 3.10+. 2021-09-16 20:20:54 +02:00
Carlton Gibson
306607d5b9 Fixed #32365 -- Made zoneinfo the default timezone implementation.
Thanks to Adam Johnson, Aymeric Augustin, David Smith, Mariusz Felisiak, Nick
Pope, and Paul Ganssle for reviews.
2021-09-16 12:11:05 +02:00
Claude Paroz
676bd084f2 Fixed #32873 -- Deprecated settings.USE_L10N.
Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
2021-09-14 12:05:43 +02:00
Carlton Gibson
cbba49971b Fixed #32992 -- Restored offset extraction for fixed offset timezones.
Regression in 10d1261984.
2021-08-30 10:12:46 +02:00
Jonny Park
4e8121e8e4 Fixed #32994 -- Fixed autoreloader tests when using 'python -m'. 2021-08-19 09:20:31 +02:00
David Smith
fbb1984046 Refs #32956 -- Updated words ending in -wards.
AP styleguide: Virtually none of the words ending with -wards end with
an s.
2021-07-30 20:34:50 +02:00