1
0
mirror of https://github.com/django/django.git synced 2025-03-14 11:20:46 +00:00

4451 Commits

Author SHA1 Message Date
Tim Graham
5510f07071 [1.6.x] Made is_safe_url() reject URLs that start with control characters.
This is a security fix; disclosure to follow shortly.
2015-03-18 08:47:43 -04:00
Tim Graham
b6b3cb9899 [1.6.x] Fixed an infinite loop possibility in strip_tags().
This is a security fix; disclosure to follow shortly.
2015-03-18 08:47:16 -04:00
Carl Meyer
64735731e0 [1.6.x] Fix an encoding preamble so the tests pass on 2.7.9.
It seems there was a change in the parsing of encoding preambles in Python
2.7.9, compared to previous 2.7.x Pythons. This is a backport of the only piece
of e520a73eeea6b185b719901ab9985ecef00e5664 that's needed to prevent an import
failure under 2.7.9.
2015-02-06 20:15:06 -07:00
Tim Graham
fb614ff4a7 [1.6.x] Fixed #23312 -- Marked an i18n test as expectedFailure on Windows/Python 3.
Backport of 433e7dd5076e492290a90130c9b3e2b1319b2f95 from stable/1.7.x
2015-01-16 10:34:46 -05:00
Tim Graham
79df62f4d2 [1.6.x] Fixed a static view test on Windows.
Backport of a6f144fd4fee0090de3a99b1f50a4142722e7946 from master
2015-01-14 13:57:14 -05:00
Tim Graham
d7a06ee7e5 [1.6.x] Fixed DoS possibility in ModelMultipleChoiceField.
This is a security fix. Disclosure following shortly.

Thanks Keryn Knight for the report and initial patch.
2015-01-13 13:10:11 -05:00
Tim Graham
553779c405 [1.6.x] Prevented views.static.serve() from using large memory on large files.
This is a security fix. Disclosure following shortly.
2015-01-13 13:10:11 -05:00
Tim Graham
72e0b03366 [1.6.x] Fixed is_safe_url() to handle leading whitespace.
This is a security fix. Disclosure following shortly.
2015-01-13 13:10:11 -05:00
Carl Meyer
d7597b31d5 [1.6.x] Stripped headers containing underscores to prevent spoofing in WSGI environ.
This is a security fix. Disclosure following shortly.

Thanks to Jedediah Smith for the report.
2015-01-13 13:10:11 -05:00
Simon Charette
2fd16232b1 [1.6.x] Fixed #23754 -- Always allowed reference to the primary key in the admin
This change allows dynamically created inlines "Add related" button to work
correcly as long as their associated foreign key is pointing to the primary
key of the related model.

Thanks to amorce for the report, Julien Phalip for the initial patch,
and Collin Anderson for the review.

Backport of f9c4e14aeca7df79991bca8ac2d743953cbd095c from master
2014-11-25 13:48:50 -05:00
Emmanuelle Delescolle
c5c4bfa12a [1.6.x] Fixed #23604 -- Allowed related m2m fields to be references in the admin.
Thanks Simon Charette for review.

Backport of a24cf21722 from master
2014-10-06 08:50:48 -04:00
Tim Graham
011541d948 [1.6.x] Required numpy < 1.9 for tests; refs #23489.
Backport of 4743a94429 from stable/1.7.x
2014-09-29 19:58:00 -04:00
Simon Charette
a7af6ad96a [1.6.x] Fixed #23431 -- Allowed inline and hidden references to admin fields.
This fixes a regression introduced by the 53ff096982 security fix.

Thanks to @a1tus for the report and Tim for the review.

refs #23329.

Backport of 342ccbd from master
2014-09-08 14:05:26 -04:00
Akis Kesoglou
b877697472 [1.6.x] Fixed #23370 -- defer() + select_related() crashed with inherited models.
Backport of 6613ea6e3f from master
2014-08-30 07:16:47 -04:00
Simon Charette
e3453b61c6 [1.6.x] Fixed #23329 -- Allowed inherited and m2m fields to be referenced in the admin.
Thanks to Trac alias Markush2010 and ross for the detailed reports.

Backport of 3cbb759 from master
2014-08-27 21:50:29 -04:00
Simon Charette
f7c494f250 [1.6.x] Prevented data leakage in contrib.admin via query string manipulation.
This is a security fix. Disclosure following shortly.
2014-08-20 11:43:43 -04:00
Tim Graham
dd0c3f4ee1 [1.6.x] Fixed #23157 -- Removed O(n) algorithm when uploading duplicate file names.
This is a security fix. Disclosure following shortly.
2014-08-20 11:43:43 -04:00
Florian Apolloner
da051da8df [1.6.x] Prevented reverse() from generating URLs pointing to other hosts.
This is a security fix. Disclosure following shortly.
2014-08-20 11:43:43 -04:00
Claude Paroz
9f9fdc4b0a [1.6.x] Fixed #22996 -- Prevented crash with unencoded query string
Thanks Jorge Carleitao for the report and Aymeric Augustin, Tim Graham
for the reviews.
Backport of fa02120d36 from master.
2014-08-19 22:55:35 +02:00
Tim Graham
f07e9f8796 [1.6.x] Added a missing skipUnlessDBFeature for the previous commit. 2014-07-29 09:37:49 -04:00
Shai Berger
838b7f8220 [1.6.x] Fixed #20292: Pass datetime objects (not formatted dates) as params to Oracle
This seems worthwhile in its own right, but also works around an Oracle
bug (in versions 10 -- 11.1) where the use of Unicode would reset the
date/time formats, causing ORA-01843 errors.

Thanks Trac users CarstenF for the report, jtiai for the initial patch,
and everyone who contributed to the discussion on the ticket.

Backport of 6983201 from master.
2014-07-29 07:00:26 -04:00
Aymeric Augustin
83098dccdf [1.6.x] Fixed #23089 -- Fixed transaction handling in two management commands.
Previously, when createcachetable and flush operated on non-default
databases, they weren't atomic.

Also avoided transactional DDL and transactional truncates on databases
that don't support them (refs #22308).

Backport of 753a22a635, 0757e0f30d, and 6877a9d415 from master
2014-07-24 19:27:15 -04:00
Tim Graham
04d827a710 [1.6.x] Added Chrome/IE support for a selenium test.
Backport of 5954aa6db0 from master plus additional changes...
2014-07-16 11:01:53 -04:00
Anssi Kääriäinen
9be56ec62c [1.6.x] PEP8 cleanup
Backport of f8df55050c from master
2014-07-16 12:53:52 +03:00
Gavin Wahl
227a0f27a6 [1.6.x] Fixed #22998 -- Updated the fast_delete logic for GFKs
Backport of 6e2b82fdf6 from master
2014-07-16 12:53:48 +03:00
Tim Graham
685582940b [1.6.x] Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet.
Thanks sebastien at clarisys.fr for the report and gautier
for the patch.

Backport of 5e2c4a4bd1 from master
2014-07-14 12:39:19 -03:00
Claude Paroz
c38e47bec0 [1.6.x] Created import-time test temp dirs in known location
Refs #17215. In the same spirit as 5de31cb8cb.
Backport of 809362518d from master.
2014-06-23 14:59:39 +02:00
Vlastimil Zíma
ef3ae3d1c9 [1.6.x] Fixed #22514 -- Prevented indexes on virtual fields [postgres].
Backport of 78c32f1caa from master
2014-06-20 19:01:49 -04:00
Erik Romijn
50a289d05f [1.6.x] Fixed #22579 -- Corrected validation for email to reject trailing slash
Backport of 424fe76349a2e34eafef13c2450a7a1f4d3115a6 from master.
2014-05-16 15:40:52 +02:00
Erik Romijn
6011075245 [1.6.x] Added additional checks in is_safe_url to account for flexible parsing.
This is a security fix. Disclosure following shortly.
2014-05-14 10:15:06 +02:00
Aymeric Augustin
1abcf3a808 [1.6.x] Dropped fix_IE_for_vary/attach.
This is a security fix. Disclosure following shortly.
2014-05-14 10:15:06 +02:00
Aymeric Augustin
b6d3212190 [1.6.x] Fixed #22508 -- Avoided overwriting select_related.
Previously, known related objects overwrote related objects loaded
though select_related. This could cancel the effect of select_related
when it was used over more than one level.

Thanks boxm for the bug report and timo for bisecting the regression.

Conflicts:
	tests/select_related_regress/tests.py

Backport of f574220f from master
2014-05-10 17:05:09 +02:00
Anssi Kääriäinen
0e37049636 [1.6.x] Fixed #22429 -- Incorrect SQL when using ~Q and F
Backpatch of 5e1f4656b98816c96a1cc051224c1b699db480e0 from master.

Conflicts:
	django/db/models/sql/query.py
	tests/queries/models.py
	tests/queries/tests.py
2014-05-05 13:27:54 +03:00
Claude Paroz
034866204b [1.6.x] Fixed #22565 -- Prevented pgettext_lazy crash with bytestring input
Thanks ygbo for the report.
Backport of 142c27218 from master.
2014-05-02 19:38:46 +02:00
Tim Graham
6915220ff9 [1.6.x] Fixed #22486 -- Restored the ability to reverse views created using functools.partial.
Regression in 8b93b31487d6d3b0fcbbd0498991ea0db9088054.

Thanks rcoup for the report.

Backport of 3c06b2f2a3 from master
2014-04-23 08:56:13 -04:00
Erik Romijn
5f0829a27e [1.6.x] Fixed queries that may return unexpected results on MySQL due to typecasting.
This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
2014-04-21 18:30:27 -04:00
Aymeric Augustin
d63e20942f [1.6.x] Prevented leaking the CSRF token through caching.
This is a security fix. Disclosure will follow shortly.

Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master
2014-04-21 18:30:27 -04:00
Tim Graham
4352a50871 [1.6.x] Fixed a remote code execution vulnerabilty in URL reversing.
Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master
2014-04-21 18:30:27 -04:00
valtron
1252b77824 [1.6.x] Fixed #21760 -- prefetch_related used an inefficient query for reverse FK.
Regression introduced by commit 9777442. Refs #21410.

Conflicts:
	tests/prefetch_related/tests.py

Backport of d3b71b976d from master
2014-04-13 01:06:03 +07:00
Aymeric Augustin
1d3d2b9a24 [1.6.x] Fixed #21202 -- Maintained atomicity when the server disconnects.
Thanks intgr for the report.

This commit doesn't include a test because I don't know how to emulate a
database disconnection in a cross-database compatible way.

Also simplified a 'backends' test that was constrained by this problem.

Backport of 81761508 from master
2014-04-10 23:22:13 +02:00
Aymeric Augustin
4ea02bdb0d [1.6.x] Fixed #21239 -- Maintained atomicity when closing the connection.
Refs #15802 -- Reverted #7c657b24 as BaseDatabaseWrapper.close() now
has a proper "finally" clause that may need to preserve self.connection.

Backport of 25860096 from master.
2014-04-10 23:22:13 +02:00
Aymeric Augustin
9afedbef42 [1.6.x] Fixed #22291 -- Avoided shadowing deadlock exceptions on MySQL.
Thanks err for the report.

Backport of 58161e4e from master.
2014-04-10 23:05:09 +02:00
Aymeric Augustin
e68c084ed1 Fixed a broken test introduced in 6fa7d7c5. Refs #21553.
Thanks Shai.
2014-04-10 07:51:04 +02:00
Shai Berger
690a5984a3 [1.6.x] Fixed #22343 -- Disallowed select_for_update in autocommit mode
The ticket was originally about two failing tests, which are
fixed by putting their queries in transactions.

Thanks Tim Graham for the report, Aymeric Augustin for the fix,
and Simon Charette, Tim Graham & Loïc Bistuer for review.

Backport of b990df1d63 from master
2014-04-10 02:15:14 +03:00
Aymeric Augustin
6fa7d7c594 [1.6.x] Fixed #21553 -- Ensured unusable database connections get closed.
Backport of 5f2f47f from master
2014-04-09 22:54:39 +02:00
Patrick Michaud
73474df954 Fixed #22256 -- Replaced bad fallback for missing PATH
Thanks Baptiste Mispelon for the review.
Backport of acee46fc9 from master.
2014-04-01 20:45:12 +02:00
Loic Bistuer
07e2a56814 [1.6.x] Fixed #22360 -- Fixed two non-deterministic tests in Python 3.4.
The order of admin's changelist filters in the querystring relied on
dict ordering.

Backport of 4d996b8e69 from master
2014-03-31 08:24:12 -04:00
Loic Bistuer
a5297c1ef4 [1.6.x] Fixed #21795 -- Made add_preserved_filters account for url prefixes.
Thanks to trac username honyczek for the report. Refs #6903.

Backport of 4339e9a92d from master
2014-03-31 07:29:08 -04:00
Tim Graham
059bc7eb60 [1.6.x] Fixed #22338 -- Fixed a test dependent on dictionary key iteration order.
Backport of 69a4f383f6 from master
2014-03-30 14:27:11 -04:00
Claude Paroz
c9b2feffee [1.6.x] Tweaked strip_tags tests to pass on Python 3.3
Backport of 6a0291bda from master.
2014-03-22 15:05:28 +01:00