1
0
mirror of https://github.com/django/django.git synced 2025-03-14 11:20:46 +00:00

3738 Commits

Author SHA1 Message Date
Tim Graham
988b61c550 [1.5.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths.
Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b656c9 from master
2013-09-10 21:05:03 -04:00
Tim Graham
616a4d385a [1.5.x] Fixed #20922 -- Allowed customizing the serializer used by contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.

Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for reviews.

Backport of b0ce6fe656 from master
2013-08-22 17:49:11 -04:00
Jacob Kaplan-Moss
90363e388c Apply autoescaping to AdminURLFieldWidget.
This is a security fix; disclosure to follow shortly.
2013-08-13 11:04:21 -05:00
Anssi Kääriäinen
bf4c8d8c98 [1.5.x] Fixed qs ordering related randomly failing test
The failure wasn't present in 1.6+, so this is not a backpatch.
2013-07-29 14:28:41 +03:00
Florian Apolloner
41492f0f1b [1.5.x] Simplified smart_urlquote and added some basic tests.
Backport of b70c371fc1f18ea0c43b503122df3f311afc7105 from master.
2013-07-28 10:07:29 +02:00
Tim Graham
dd2a512f68 [1.5.x] assertEquals -> assertEqual 2013-07-27 18:46:55 -04:00
Luke Plant
00b39e0145 [1.5.x] Fixed #19607 - prefetch_related crash
Thanks to av@rdf.ru and flarno11@yahoo.de for the report.

Backport of 4fd94969d8 from master
2013-07-27 17:59:27 -04:00
Tim Graham
8904e9fb98 [1.5.x] Fixed #20681 -- Prevented teardown_databases from attempting to tear down aliases
Thanks simonpercivall.

Backport of d9c580306c from master
2013-07-13 18:09:24 -04:00
Tim Graham
13546cae9c [1.5.x] Fixed #19196 -- Added test/requirements
Backport of 4d92a0bd86 from master.
2013-07-10 11:32:28 -04:00
Tim Graham
95aa2182b7 [1.5.x] Fixed #19940 -- Made test.runner.setup_databases properly handle aliases for defau
Thanks simonpercivall.

Backport of 2cbd579efe from master.
2013-07-04 20:41:01 -04:00
Daniel Lindsley
cb9aaac91f [1.5.x] Fixed #20212 - __reduce__ should only be defined for Py3+. 2013-05-21 10:17:27 -07:00
Anssi Kääriäinen
bac187c0d8 [1.5.x] Fixed prefetch_related + pickle regressions
There were a couple of regressions related to field pickling. The
regressions were introduced by QuerySet._known_related_objects caching.

The regressions aren't present in master, the fix was likely in
f403653cf146384946e5c879ad2a351768ebc226.

Fixed #20157, fixed #20257. Also made QuerySets with model=None
picklable.
2013-05-21 11:45:24 +03:00
Anssi Kääriäinen
0eddedf7db [1.5.x] Fixed #20278 -- ensured .get() exceptions do not recurse infinitely
A regression caused by d5b93d3281fe93cbef5de84a52 made .get() error
reporting recurse infinitely on certain rare conditions. Fixed this by
not trying to print the given lookup kwargs.

Backpatch of 266c0bb23e9d64c47ace4d162e582febd5a1e336
2013-05-20 19:05:43 +03:00
Tai Lee
23b234a9d9 [1.5.x] Fixed #20354 -- makemessages no longer crashes with UnicodeDecodeError
Handle the `UnicodeDecodeError` exception, send a warning to `stdout` with the
file name and location, and continue processing other files.
Backport of 99a6f0e77 from master.
2013-05-07 21:36:51 +02:00
Florian Apolloner
0b0d98fd4e [1.5.x] Fixed test failures introduced in a5becad9094e5c5403b692b9a7b3a6ffaabf64a3.
Backport of 780fa48f5fb81b2f0f58de95167abff84a6149aa from master
2013-05-05 16:14:41 +02:00
Claude Paroz
abdcf81843 [1.5.x] Fixed #20237 (again) Allowed binary parameter to assertContains
Backport of b04fd579d5 from master.
2013-04-12 20:16:35 +02:00
Baptiste Mispelon
9c49e64b66 [1.5.x] Fixed #20211: Document backwards-incompatible change in BoundField.label_tag
Also cleaned up label escaping and consolidated the test suite regarding
label_tag.
Backport of ab686022f from master.
2013-04-12 10:25:44 +02:00
Claude Paroz
427b59495e [1.5.x] Fixed #20237 -- Reenabled assertContains with binary parameter
Thanks Baptiste Mispelon for the review.
Backport of fe01404bb9 from master.
2013-04-11 10:58:06 +02:00
Simon Charette
d04e8f8c78 [1.5.x] Fixed #20207 -- Handle ManyToManyField with a unicode name correctly.
Backport of 216580e034.
2013-04-05 15:21:59 -04:00
Julien Phalip
a15a3e9148 [1.5.x] Fixed #20169 -- Ensured that the WSGI request's path is correctly based on the SCRIPT_NAME environment parameter or the FORCE_SCRIPT_NAME setting, regardless of whether or not those have a trailing slash. Thanks to bmispelon for the review.
Backport of 2f81a0ca6543f
2013-04-01 12:07:58 -07:00
Jacob Kaplan-Moss
bec250211b [1.5.x] Correctly restore warning capture after logging tests.
This is a fix to the wrong behavior that 15c3906eeb introduced.

Backport of 4befef9 from trunk.
2013-03-27 17:03:12 -05:00
Jacob Kaplan-Moss
9a41045b77 [1.5.x] Fixed logging-related test failure introduced by e79b857.
Backport of 654d8e9.
2013-03-27 12:21:26 -05:00
Preston Holmes
572a300e56 [1.5.x] Fixed #18985 -- ensure module level deprecations are displayed
Also don't compete with -W CLI option.

Thanks to Aymeric Augustin for the catch, and Claude Paroz for the patch.

Backport of e79b857a07905340556f781a7d63016236b21c61 from master.
2013-03-27 10:37:47 -05:00
Anssi Kääriäinen
207117ae73 [1.5.x] Fixed #20091 -- Oracle null promotion for empty strings
Backpatch of e17fa9e877e84e93b699c2bd13ea48dbbb86e451
2013-03-26 15:05:37 +02:00
Claude Paroz
deec020bf5 [1.5.x] Fixed #20108 -- Fixed filepath_to_uri decoding error
This was a regression due to unicode_literals usage. Thanks Ivan
Virabyan for the report and the initial patch.
Backport of 164528acc8 from master.
2013-03-22 17:58:36 +01:00
Marc Tamlyn
dd897e4eeb [1.5.x] Fixed #20094 - Be more careful when checking for Iterator
Python 2.6 has some different behaviour when checking
isinstance(foo, collections.Iterator).
Backport of 829dc3c5 from master.
2013-03-22 17:45:41 +01:00
Claude Paroz
b91067d9aa [1.5.x] Revert "Fixed #19895 -- Made second iteration over invalid queryset raise an exception too"
This reverts commit d1e87eb3baf75b1b6a0ada46a9b77f7e347cdb60.
This commit was the cause of a memory leak. See ticket for more details.
Thanks Anssi Kääriäinen for identifying the source of the bug.
2013-03-20 10:43:14 +01:00
Aymeric Augustin
702d39921c [1.5.x] Fixed #19634 -- Added proper __hash__ methods.
Classes overriding __eq__ need a __hash__ such that equal objects have
the same hash.

Thanks akaariai for the report and regebro for the patch.

Backport of e76147a from master.
2013-02-25 23:37:23 +01:00
Claude Paroz
cf114cffea [1.5.x] Fixed #19903 -- Fixed unbalanced setUp/tearDown calls in LiveServerAddress test
Backport of 6d52bcbb7c from master.
2013-02-25 08:59:44 +01:00
Aymeric Augustin
455baa68eb [1.5.x] Changed testing strategy used in 6b03179e.
Avoid polluting the app cache as it causes unrelated test failures.

Refs #19688.

Backport of 7b49da1 from master.
2013-02-25 00:11:10 +01:00
Simon Charette
f8b41da431 [1.5.x] Fixed #19688 -- Allow model subclassing with a custom metaclass using six.with_metaclass
Backport of 6b03179e126d4df01623dccc162c1579f349e41e from master.

Although we're post RC 2, I'm backporting this because it's arguably a
major bug in a new feauture that will prevent several well-known
third-party apps from being ported to Python 3.
2013-02-24 17:45:48 +01:00
Grzegorz Nosek
d1e87eb3ba [1.5.x] Fixed #19895 -- Made second iteration over invalid queryset raise an exception too
When iteration over a queryset raised an exception, the result cache
remained initialized with an empty list, so subsequent iterations returned
an empty list instead of raising an exception

Backport of 2cd0edaa477b327024e4007c8eaf46646dcd0f21 from master.
2013-02-23 14:39:05 -06:00
Anssi Kääriäinen
8a99d718f7 [1.5.x] Fixed empty strings + to_field regression on Oracle
Querying the reverse side of nullable to_field relation, where both
sides can contain null values resulted in incorrect results. The reason
was not detecting '' as NULL.

Refs #17541, backpatch of 09fcb70c804b76fccc8fc0ac545873e5ab30c00a.
2013-02-23 00:09:48 +02:00
Anssi Kääriäinen
96790fc022 [1.5.x] Made a couple of selenium tests wait for page loaded
The admin_widgets tests were issuing click() to the browser but
didn't wait for the effects of those clicks. This caused the resulting
request to be processed concurrently with the test case. When using
in-memory SQLite this caused weird failures.

Also added wait_page_loaded() to admin selenium tests for code
reuse.

Fixed #19856, backpatch of 50677b29af39ca670274fb45087415c883c78b04
2013-02-21 00:01:07 +02:00
Anssi Kääriäinen
8ad436636f [1.5.x] Fixed #19672 -- Error in negated Q() filtering
There was a variable overwrite error in negated join filtering. This
happened when add_filter() was adding the IS NULL condition to the
WHERE clause.

This is not a backport from master as there have been some other
refactorings which made this patch irrelevant.

The patch is from Ian Kelly.
2013-02-20 21:57:39 +02:00
Aymeric Augustin
3ef4bbf495 [1.5.x] Added a default limit to the maximum number of forms in a formset.
This is a security fix. Disclosure and advisory coming shortly.
2013-02-19 10:39:04 -07:00
Carl Meyer
0e46c7f7ac [1.5.x] Checked object permissions on admin history view.
This is a security fix. Disclosure and advisory coming shortly.

Patch by Russell Keith-Magee.
2013-02-19 10:39:04 -07:00
Carl Meyer
2d0c22e02d [1.5.x] Restricted the XML deserializer to prevent DoS attacks.
This is a security fix. Disclosure and advisory coming shortly.
2013-02-19 10:39:03 -07:00
Carl Meyer
a7e33c5bf3 [1.5.x] Added a new required ALLOWED_HOSTS setting for HTTP host header validation.
This is a security fix; disclosure and advisory coming shortly.
2013-02-19 10:39:03 -07:00
Claude Paroz
41848b078a [1.5.x] Fixed #19833 -- Fixed import parameter encoding in get_runner
Thanks Danilo Bargen for the report.
Backport of 63236161 from master.
2013-02-16 13:32:03 +01:00
Julien Phalip
42e87c17f2 [1.5.x] Fixed #19829 -- Fixed index lookups for NumPy arrays in templates.
Backport of 7d5e35cdb46124e2471
2013-02-15 00:18:49 -08:00
Anssi Kääriäinen
743263a105 [1.5.x] Removed try-except in django.db.close_connection()
The reason was that the except clause needed to remove a connection
from the django.db.connections dict, but other parts of Django do not
expect this to happen. In addition the except clause was silently
swallowing the exception messages.

Refs #19707, special thanks to Carl Meyer for pointing out that this
approach should be taken.
2013-02-13 00:22:10 +02:00
Anssi Kääriäinen
7b5ca126ee [1.5.x] Fixed #19112 -- Reduced the amount of query params in a test
Backpatch of 604d8763dc2c901a3557e15880895d88af5c4127.
2013-02-10 21:09:58 +02:00
Anssi Kääriäinen
b18ad807e0 [1.5.x] Fixed #19720 -- Oracle ordering related delete regression
When a query had a complex where condition (a condition targeting more
than the base table) a subquery was used for deletion. However, the
query had default ordering from the model's meta and Oracle doesn't
work with ordered subqueries.

The regression was caused by fast-path deletion code introduced in
1cd6e04cd4f768bcd4385b75de433d497d938f82 for fixing #18676.

Thanks to Dylan Klomparens for the report.

Backpatch of 8ef3235034a1a7616714a5d61486dc68536f74ee
2013-02-10 19:58:22 +02:00
Anssi Kääriäinen
60186aa2e5 [1.5.x] Fixed #19707 -- Reset transaction state after requests
Backpatch of a4e97cf315142e61bb4bc3ed8259b95d8586d09c
2013-02-10 14:09:58 +02:00
Anssi Kääriäinen
4c261c61f2 [1.5.x] Fixed #19645 -- Added tests for TransactionMiddleware
Backpatch of f556df90be995a83b979cf875705d98521ab4dc7. Backpatching
these tests so that it will be easier to backpatch the fix for #19707.
2013-02-10 14:01:49 +02:00
Julien Phalip
15796db507 [1.5.x] Cleaned up some lingering signals in the test suite that were causing spurious failures with Pypy and Postgres.
Backport of db09a2de6e1bc7121
2013-02-08 12:13:43 -08:00
Julien Phalip
5ba76825cf [1.5.x] Fixed a typo in the test suite that was causing some spurious failures with pypy.
Backport of 6afc85af47f7d9f44
2013-02-06 22:12:02 -08:00
Claude Paroz
20ac33100c Partially revert 9efe1a721, strip_tags improvements
The new regex seems not stable enough for being released. Stripping
with regex might need reevaluation for the next release.
Refs #19237.
2013-02-06 21:19:41 +01:00
Nick Sandford
e18bd68dbc [1.5.x] Fixed #19445 -- Skip admin fieldsets validation when the ModelAdmin.get_form() method is overridden.
Backport of 0694d2196f0fad
2013-02-02 14:55:59 -08:00