- Validate filename returned by FileField.upload_to() not a filename
passed to the FileField.generate_filename() (upload_to() may
completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.
Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.
Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.
Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main
Address a long standing bug in a Where.add optimization to discard
equal nodes that was surfaced by implementing equality for Lookup
instances in bbf141bcdc31f1324048af9233583a523ac54c94.
Thanks Shaheed Haque for the report.
Backport of b81c7562fc33f50166d5120138d6398dc42b13c3 from main
The 'db' and 'passwd' connection options have been deprecated, use
'database' and 'password' instead (available since mysqlclient >= 1.3.8).
This also allows the 'database' option in DATABASES['OPTIONS'] on MySQL.
Backport of 1061f5243646b4c9b8a758f8a36c9e2ccdded1cf from main
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.
[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603
Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
The validate_file_name() sanitation introduced in
0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path
components for storages that may allow them.
Test is skipped pending a discussed storage refactoring to support this
use-case.
Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main
Regression in c8b659430556dca0b2fe27cf2ea0f8290dbafecd.
Thanks Kevin Marsh for the report.
Backport of 96f55ccf798c7592a1203f798a4dffaf173a9263 from main
Subquery deconstruction support required implementing complex and
expensive equality rules for sql.Query objects for little benefit as
the latter cannot themselves be made deconstructible to their reference
to model classes.
Making Expression @deconstructible and not BaseExpression allows
interested parties to conform to the "expression" API even if they are
not deconstructible as it's only a requirement for expressions allowed
in Model fields and meta options (e.g. constraints, indexes).
Thanks Phillip Cutter for the report.
This also fixes a performance regression in bbf141bcdc31f1324048af9233583a523ac54c94.
Backport of c8b659430556dca0b2fe27cf2ea0f8290dbafecd from main
Thanks Zain Patel for the report and Simon Charette for reviews.
The exception introduced in 6307c3f1a123f5975c73b231e8ac4f115fd72c0d
revealed a possible data loss issue in the admin.
Backport of 187118203197801c6cb72dc8b06b714b23b6dd3d from main
This issue started manifesting itself when nesting a combined subquery
relying on exclude() since 8593e162c9cb63a6c0b06daf045bc1c21eb4d7c1 but
sql.Query.combine never properly handled subqueries outer refs in the
first place, see QuerySetBitwiseOperationTests.test_subquery_aliases()
(refs #27149).
Thanks Raffaele Salmaso for the report.
Backport of 6d0cbe42c3d382e5393d4af48185c546bb0ada1f from main
Thanks Jared Lockhart for the report.
Regression in c36075ac1dddfa986340b1a5e15fe48833322372.
Backport of 34d1905712d33e72c76b3a55a4fc24abbd11be6c from main
