mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity
34,007 Commits 30 Branches 463 Tags
98e642c69181c942d60a10ca0085d48c6b3068bb
Commit Graph

14473 Commits

Author SHA1 Message Date
Jacob Walls
98e642c691 Fixed CVE-2025-64459 -- Prevented SQL injections in Q/QuerySet via the _connector kwarg. 
Thanks cyberstan for the report, Sarah Boyce, Adam Johnson, Simon
Charette, and Jake Howard for the reviews.
 2025-11-05 09:20:57 -03:00
Jacob Walls
c880530ddd Fixed CVE-2025-64458 -- Mitigated potential DoS in HttpResponseRedirect/HttpResponsePermanentRedirect on Windows. 
Thanks Seokchan Yoon for the report, Markus Holtermann for the
triage, and Jake Howard for the review.

Follow-up to CVE-2025-27556 and 39e2297210.
 2025-11-05 09:20:57 -03:00
Hal Blackburn
74564946c3 Fixed #36704 -- Fixed system check error for proxy model with a composite pk. 
Proxy models subclassing a model with a CompositePrimaryKey were
incorrectly reporting check errors because the check that requires only
local fields to be used in a composite pk was evaluated against the proxy
subclass, which has no fields.

To fix this, composite pk field checks are not evaluated against
proxy subclasses, as none of the checks are applicable to proxy
subclasses. This also has the benefit of not double-reporting real check
errors from an invalid superclass pk.

Thanks Clifford Gama for the review.
 2025-11-04 11:59:21 -05:00
ontowhee
eaf7b563a5 Updated ticket triage process diagram and contributing docs. 2025-11-04 09:38:03 -03:00
Mariusz Felisiak
05ba1a9228 Fixed #36661 -- Added introspection of database-level delete options. 2025-10-31 14:33:27 +01:00
Tim Schilling
340e4f832e Added community package storage backends mention to docs. 
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
 2025-10-30 17:21:28 -04:00
Clifford Gama
7fc9db1c6a Refs #35381 -- Clarified key and index lookup handling of None in exact lookup docs. 2025-10-29 15:00:52 -04:00
Clifford Gama
348ca84538 Refs #35381 -- Deprecated using None in JSONExact rhs to mean JSON null. 
Key and index lookups are exempt from the deprecation.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
 2025-10-29 15:00:52 -04:00
Clifford Gama
be7f68422d Refs #35381 -- Delegated ArrayField element prepping to base_field.get_db_prep_save. 
Previously, ArrayField always used base_field.get_db_prep_value when saving,
which could differ from how base_field prepares data for save. This change
overrides ArrayField.get_db_prep_save to delegate to the base_field's
get_db_prep_save, ensuring elements like None in JSONField arrays are saved
correctly as SQL NULL instead of JSON null.
 2025-10-29 15:00:52 -04:00
Clifford Gama
adc25a9a66 Fixed #35381 -- Added JSONNull() expression. 
Thanks Jacob Walls for the review.
 2025-10-29 15:00:52 -04:00
Jacob Walls
ab108bf94d Added stub release notes and release date for 5.2.8, 5.1.14, and 4.2.26. 2025-10-29 14:57:45 -03:00
Clifford Gama
01f8460653 Fixed #36329 -- Removed non-code custom link text when cross-referencing Python objects. 
Thanks Bruno Alla, Sarah Boyce, and Jacob Walls for reviews.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2025-10-29 11:32:12 -04:00
Kasyap Pentamaraju
0ea01101c3 Fixed #36681 -- Removed English pluralization bias from example in docs/topics/i18n/translation.txt. 2025-10-27 14:41:53 -04:00
Mariusz Felisiak
c87daabbf3 Fixed #36624 -- Dropped support for MySQL < 8.4. 2025-10-27 15:05:23 +01:00
Annabelle Wiegart
7423918125 Fixed #35095 -- Clarified Swiss number formatting in docs/topics/i18n/formatting.txt. 
Co-authored-by: Ahmed Nassar <a.moh.nassar00@gmail.com>
 2025-10-23 10:11:52 -04:00
Natalia
42d6e20feb Made cosmetic edits to docs/releases/6.0.txt. 2025-10-22 15:37:52 -03:00
Mariusz Felisiak
ca3e0484ef Refs #36005 -- Bumped minimum supported versions of docutils to 0.22. 2025-10-19 20:13:16 +02:00
Mariusz Felisiak
d506e4a528 Fixed #36671 -- Dropped support for SQLite < 3.37. 2025-10-18 21:04:11 +02:00
Mariusz Felisiak
0c487aa3a7 Fixed #21961 -- Added support for database-level delete options for ForeignKey. 
Thanks Simon Charette for pair programming.

Co-authored-by: Nick Stefan <NickStefan12@gmail.com>
Co-authored-by: Akash Kumar Sen <71623442+Akash-Kumar-Sen@users.noreply.github.com>
Co-authored-by: Simon Charette <charette.s@gmail.com>
 2025-10-18 15:03:50 +02:00
Segni Mekonnen
b1e0262c9f Fixed #36665 -- Improved manager usage guidance in docs/topics/db/optimization.txt. 2025-10-17 17:15:10 -04:00
Mariusz Felisiak
56977b466c Refs #35844 -- Doc'd Python 3.14 compatibility. 2025-10-17 19:25:02 +02:00
aj2s
f715bc8990 Fixed #36669 -- Doc'd that negative indexes are not supported in F() slices. 2025-10-17 10:20:23 -04:00
Jacob Walls
d980d68609 Bumped minimum isort version to 7.0.0. 
Added ignores relating to https://github.com/PyCQA/isort/issues/2352.
 2025-10-16 14:59:02 -04:00
Adam Johnson
6dc9b04018 Refs #28586 -- Copied fetch modes to related objects. 
This change ensures that behavior and performance remain consistent when
traversing relationships.
 2025-10-16 14:52:22 -04:00
Adam Johnson
e097e8a12f Fixed #28586 -- Added model field fetch modes. 
May your database queries be much reduced with minimal effort.

co-authored-by: Andreas Pelme <andreas@pelme.se>
co-authored-by: Simon Charette <charette.s@gmail.com>
co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
 2025-10-16 14:52:22 -04:00
Adam Johnson
f6bd90c840 Refs #28586 -- Edited related objects documentation. 
This change aims to make this section clearer and ready to add a description of
fetch modes.
 2025-10-16 14:52:22 -04:00
Jacob Walls
02eed4f378 Fixed #36648, Refs #33772 -- Accounted for composite pks in first()/last() when aggregating. 2025-10-14 15:48:29 -04:00
Jacob Walls
cc9df52666 Removed pre-release wheel-only advice in docs/internals/howto-release-django.txt. 
The practice since 2.2a1 (2019) has been to upload source distributions
as well.
 2025-10-14 08:46:14 -04:00
Jacob Walls
1910115807 Removed mention of setuptools in docs/internals/contributing/writing-code/unit-tests.txt. 2025-10-14 08:41:32 -04:00
lyova24
a545eb0c1a Cautioned against multi-level relative imports in coding style docs. 2025-10-13 17:27:07 -04:00
Natalia
d5543a23d3 Added notes about automatic roadmap generation for next version in docs/internals/howto-release-django.txt. 2025-10-13 17:41:30 -03:00
arsalan64
92d0c21e69 Fixed #36625 -- Mentioned exit() in tutorial's instruction to restart the shell. 2025-10-13 16:21:22 -04:00
Sarah Boyce
5b51e6f759 Fixed #36611, Refs #36580 -- Added system check for multicolumn ForeignObject in Meta.indexes/constraints/unique_together. 
ForeignObjects with multiple `from_fields` are not supported in these
options.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2025-10-13 14:53:39 -03:00
Simon Charette
315dbe675d Fixed #36646 -- Added compatibility for oracledb 3.4.0. 
The Database.Binary, Date, and Timestamp attributes were changed from
aliases to bytes, datetime.date, and datetime.datetime to factory
functions in oracle/python-oracledb@869a887819
which made their usage inadequate for isinstance checks.

Thanks John Wagenleitner for the report and Natalia for the triage.

Co-authored-by: Mariusz Felisiak <felisiak.mariusz@gmail.com>
 2025-10-11 17:15:28 +02:00
Mariusz Felisiak
1167cd1d63 Corrected admin check IDs in docs. 2025-10-09 20:01:31 +02:00
Natalia
608d3ebc88 Fixed #36526 -- Doc'd QuerySet.bulk_update() memory usage when batching. 
Thanks Simon Charette for the review.
 2025-10-08 18:27:16 -03:00
Michiel W. Beijen
96a7a65216 Fixed #35961 -- Migrated license metadata in pyproject.toml to conform PEP 639. 
See https://peps.python.org/pep-0639/ and
https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-and-license-files.

Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
 2025-10-08 16:40:02 -03:00
Mariusz Felisiak
4a8ca8bd69 Added missing backticks in docs/ref/models/fields.txt. 2025-10-08 10:58:59 +02:00
Mariusz Felisiak
6e3287408e Refs #36623 -- Confirmed support for PostGIS 3.6. 2025-10-03 17:12:57 -04:00
Mariusz Felisiak
5bd775703c Fixed #36623 -- Dropped support for PostgreSQL 14 and PostGIS 3.1. 2025-10-03 17:12:57 -04:00
Dani Fornons
2514857e3f Fixed #36636, Refs #15902 -- Removed session-based storage reference from set_language() docs. 2025-10-03 15:16:37 -04:00
Jacob Walls
0a09c60e97 Refs #36143, #28596 -- Avoided mentioning exact query parameter limit in bulk_create() docs. 2025-10-03 11:25:17 -04:00
Mariusz Felisiak
1499c95d99 Rewrapped security archive at 79 chars. 2025-10-01 16:24:00 -04:00
Jacob Walls
43d84aef04 Added CVE-2025-59681 and CVE-2025-59682 to security archive. 2025-10-01 10:39:02 -04:00
Jacob Walls
1324d9037e Added stub release notes for 5.2.8. 2025-10-01 10:30:45 -04:00
Sarah Boyce
924a0c092e Fixed CVE-2025-59682 -- Fixed potential partial directory-traversal via archive.extract(). 
Thanks stackered for the report.

Follow up to 05413afa8c.
 2025-10-01 08:12:07 -04:00
Mariusz Felisiak
41b43c74bd Fixed CVE-2025-59681 -- Protected QuerySet.annotate(), alias(), aggregate(), and extra() against SQL injection in column aliases on MySQL/MariaDB. 
Thanks sw0rd1ight for the report.

Follow up to 93cae5cb2f.
 2025-10-01 08:11:45 -04:00
Jacob Walls
6c82b0bc91 Made cosmetic edits to 5.2.7 release notes. 2025-09-30 16:31:01 -04:00
Adam Johnson
8b241f84e2 Fixed #36614 -- Deprecated QuerySet.values_list(flat=True) without a field. 
Thanks to Jacob Walls and Simon Charette for their input.

co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
 2025-09-30 08:46:28 +02:00
okaybro
afe6634146 Fixed #36587 -- Clarified usage of list.insert() for upload handlers. 
Thanks Baptiste Mispelon for the report

Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
 2025-09-29 14:48:06 +02:00