On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.
Regression in 9e9792228a.
Backport of 0e94f292cd from main.
This is the exact same issue as refs #30408 but for creating a model with a
constraint containing % escapes instead of column addition. All of these issues
stem from a lack of SQL and parameters separation from the BaseConstraint DDL
generating methods preventing them from being mixed with other parts of the
schema alteration logic that do make use of parametrization on some backends
(e.g. Postgres, MySQL for DEFAULT).
Prior to the addition of Field.db_default and GeneratedField in 5.0
parametrization of DDL was never exercised on model creation so this is
effectively a bug with db_default as the GeneratedField case was addressed by
refs #35336.
Thanks Julien Chaumont for the report and Mariusz Felisiak for the review.
Backport of f359990e49 from main.
The logic allowing UniqueConstraint(fields).validate to preserve backward
compatiblity with Model.unique_error_message failed to account for cases where
the constraint might not be attached to a model which is a common pattern
during testing.
This changes allows for arbitrary UniqueConstraint(fields) to be tested in
isolation without requiring actual models backing them up.
Co-authored-by: Mark G <mark.gensler@protonmail.com>
Backport of 13922580cc from main.
Accessing generated field values on unsaved models caused a crash when
validating CheckConstraints and UniqueConstraints with expressions.
Backport of 1005c2abd1 from main.
Sleep call leads to a hard to trace error in CI. Using an Event is
more deterministic, and should be less prone to environment
variations.
Bug in 11393ab131.
Backport of f4a08b6ddf from main.
Generated fields have to be excluded from the INSERT query against the remade
table including the index.
Thanks Moshe Dicker for the report, David Sanders and Mariusz Felisiak for the
review.
Backport of d048f0d311 from main.
Postgres >= 12.18, 13.14, 14.11, 15.6, 16.2 changed the way the immutability
of generated and default expressions is detected in postgres/postgres@743ddaf.
The adjusted test semantic is presereved by switching from __icontains to
__contains as both make use of a `%` literal which requires proper escaping.
Refs #35336.
Thanks bcail for the report.
Backport of 73b62a2126 from main.
A longer term solution is likely to have a better separation of parametrized
DDL altogether to handle checks, constraints, defaults, and generated fields
but such a change would require a significant refactor that isn't suitable
for a backport.
Thanks Adrian Garcia for the report.
Backport of 888b9042b3 from main
Field.db_default accepts either literal Python values or compilables
(as_sql) and wrap the former ones in Value internally.
While 1e38f11 added support for automatic resolving of output fields for
types such as str, int, float, and other unambigous ones it's cannot do
so for all types such as dict or even contrib.postgres and contrib.gis
primitives.
When a literal, non-compilable, value is provided it likely make the
most sense to bind its output field to the field its attached to avoid
forcing the user to provide an explicit `Value(output_field)`.
Thanks David Sanders for the report.
Backport of e67d7d70fa from main
MySQL doesn't allow literal DEFAULT values to be used for BLOB, TEXT,
GEOMETRY or JSON columns and requires expression to be used instead.
Regression in 7414704e88.
Backport of dfc77637ea from main
