mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-14 11:20:46 +00:00
Code Issues 32 Releases Wiki Activity
12,078 Commits 29 Branches 437 Tags
Commit Graph

3158 Commits

Author SHA1 Message Date
Ramiro Morales
aa9c45c2e4 [1.4.x] Revert "Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet." 
This reverts commit b44519072e8a0ef56a0ae9e6e4a1fb04273eb0eb.

stable/1.4.x branch is in security-fixes-only mode.
 2014-07-14 21:09:38 -03:00
Tim Graham
b44519072e [1.4.x] Fixed #13794 -- Fixed to_field usage in BaseInlineFormSet. 
Thanks sebastien at clarisys.fr for the report and gautier
for the patch.

Backport of 5e2c4a4bd1 from master
 2014-07-14 12:38:00 -03:00
Tim Graham
7feb54bbae [1.4.x] Added additional checks in is_safe_url to account for flexible parsing. 
This is a security fix. Disclosure following shortly.
 2014-05-12 09:46:40 -04:00
Aymeric Augustin
28e23306aa [1.4.x] Dropped fix_IE_for_vary/attach. 
This is a security fix. Disclosure following shortly.
 2014-05-12 09:46:22 -04:00
Tim Graham
b91c385e32 [1.4.x] Fixed #22486 -- Restored the ability to reverse views created using functools.partial. 
Regression in 8b93b31.

Thanks rcoup for the report.

Backport of 3c06b2f2a3 from master
 2014-04-23 09:22:02 -04:00
Erik Romijn
aa80f498de [1.4.x] Fixed queries that may return unexpected results on MySQL due to typecasting. 
This is a security fix. Disclosure will follow shortly.

Backport of 75c0d4ea3ae48970f788c482ee0bd6b29a7f1307 from master
 2014-04-21 18:31:44 -04:00
Aymeric Augustin
1170f285dd [1.4.x] Prevented leaking the CSRF token through caching. 
This is a security fix. Disclosure will follow shortly.

Backport of c083e3815aec23b99833da710eea574e6f2e8566 from master
 2014-04-21 18:31:44 -04:00
Tim Graham
c1a8c420fe [1.4.x] Fixed a remote code execution vulnerabilty in URL reversing. 
Thanks Benjamin Bach for the report and initial patch.

This is a security fix; disclosure to follow shortly.

Backport of 8b93b31487d6d3b0fcbbd0498991ea0db9088054 from master
 2014-04-21 18:31:44 -04:00
Tim Graham
83420e70ef [1.4.x] Fixed random aggregation_regress test_more_more_more() failure 
The cause was assuming that an unordered queryset returns the values
always in the same order.

Backport of 33dd8f544205be923e2a06106909ebcd3583526b
 2014-04-19 13:01:52 -04:00
Alasdair Nicol
23126866ec [1.4.x] Fixed #21538 -- Added numpy to test/requirements/base.txt 
Thanks Tim Graham for the report

Backport of c75dd664c from master
 2013-12-02 13:45:56 -05:00
Loic Bistuer
7984b58e78 Fixed SyntaxError on Python 2.5 caused by a @unittest.skipIf class decoration. 2013-11-01 03:35:29 +07:00
Loic Bistuer
3203f684e8 Fixed failing test introduced by 87d2750b39. 
The {% ssi %} tag in Django 1.4 doesn't support spaces in its argument.
Skip the test if run from a location that contains a space.
 2013-09-11 18:05:39 +07:00
Tim Graham
87d2750b39 [1.4.x] Prevented arbitrary file inclusion with {% ssi %} tag and relative paths. 
Thanks Rainer Koirikivi for the report and draft patch.

This is a security fix; disclosure to follow shortly.

Backport of 7fe5b656c9 from master
 2013-09-10 21:05:47 -04:00
Shai Berger
d9dc98159d [1.4.x] Fixed #20904: Test failure on Oracle 
Just skip the failing test, the failure isn't really relevant; also,
both the test and the reason for its failure were removed in 1.5.

Thanks Tim Graham for advice on 1.5.
 2013-08-17 23:12:01 +03:00
Luke Plant
d5da495a2e [1.4.x] Fixed #20906 -- Fixed a dependence on set-ordering in tests 
Backport of 1ae64e96c1 from master
 2013-08-16 17:55:08 -04:00
Anssi Kääriäinen
bf611f14ec [1.4.x] Fixed #20905 -- Fixed an Oracle-specific test case failure 
Made a test checking ORM-generated query string case-insensitive.

Backport of ee0a7c741e from master
 2013-08-16 12:23:05 -04:00
Florian Apolloner
08e5fcb3e6 Fixed regression in validation tests since example.com is available via https now. 2013-08-13 22:34:52 +02:00
Tim Graham
e8971345b4 [1.4.x] Fixed #19196 -- Added test/requirements 
Backport of 4d92a0bd86 from master
 2013-07-10 12:12:15 -04:00
Anssi Kääriäinen
3872bc51c9 [1.4.x] Made a couple of selenium tests wait for page loaded 
The admin_widgets tests were issuing click() to the browser but
didn't wait for the effects of those clicks. This caused the resulting
request to be processed concurrently with the test case. When using
in-memory SQLite this caused weird failures.

Also added wait_page_loaded() to admin selenium tests for code
reuse.

Fixed #19856, cherry-pick of 50677b29af39ca670274fb45087415c883c78b04
 2013-02-21 00:03:39 +02:00
Aymeric Augustin
0cc350a896 [1.4.x] Added a default limit to the maximum number of forms in a formset. 
This is a security fix. Disclosure and advisory coming shortly.
 2013-02-19 10:37:54 -07:00
Carl Meyer
0e7861aec7 [1.4.x] Checked object permissions on admin history view. 
This is a security fix. Disclosure and advisory coming shortly.

Patch by Russell Keith-Magee.
 2013-02-19 10:37:54 -07:00
Carl Meyer
1c60d07ba2 [1.4.x] Restrict the XML deserializer to prevent network and entity-expansion DoS attacks. 
This is a security fix. Disclosure and advisory coming shortly.
 2013-02-19 10:37:54 -07:00
Carl Meyer
9936fdb11d [1.4.x] Added ALLOWED_HOSTS setting for HTTP host header validation. 
This is a security fix; disclosure and advisory coming shortly.
 2013-02-19 10:37:54 -07:00
Anssi Kääriäinen
dec7dd99f0 [1.4.x] Removed try-except in django.db.close_connection() 
The reason was that the except clause needed to remove a connection
from the django.db.connections dict, but other parts of Django do not
expect this to happen. In addition the except clause was silently
swallowing the exception messages.

Refs #19707, special thanks to Carl Meyer for pointing out that this
approach should be taken.
 2013-02-13 00:39:43 +02:00
Anssi Kääriäinen
9918b3f502 [1.4.x] Fixed #19707 -- Reset transaction state after requests 
Backpatch of a4e97cf315142e61bb4bc3ed8259b95d8586d09c.
 2013-02-10 17:34:38 +02:00
Anssi Kääriäinen
498a5de07b [1.4.x] Fixed #19645 -- Added tests for TransactionMiddleware 
Backpatch of f556df90be995a83b979cf875705d98521ab4dc7. Backpatching
these tests so that it will be easier to backpatch the fix for #19707.
 2013-02-10 17:34:27 +02:00
Florian Apolloner
f2530dcb17 [1.4.X] Fixed a test failure in the comment tests. 
Backport of 1eb0da1c5ba3096f218d1df13d02a2b8e1ac7a36 from master.
 2012-12-10 23:37:12 +01:00
Florian Apolloner
319627c184 [1.4.X] Fixed a security issue in get_host. 
Full disclosure and new release forthcoming.
 2012-12-10 22:14:16 +01:00
Florian Apolloner
b2ae0a63ae [1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users. 2012-12-10 22:14:16 +01:00
Julien Phalip
8c9a8fd5c4 [1.4.x] Fixed the admin_filters tests for Postgres. 
Backport of c196e01100b2
 2012-12-04 10:41:22 -08:00
Sebastián Magrí
c72172244e [1.4.x] Fixed #19318 -- Ensured that the admin's SimpleListFilter options can be displayed as selected even if the lookup's first element is not a string. 
Backport of 88e17156393b
 2012-12-03 20:58:54 -08:00
Anssi Kääriäinen
3e4058be9f [1.4.x] Fixed ordering-related failure in m2m_through_regress tests 
Backpatch of dc569c880143db07e01b3293d698ad8fe4a0136f
 2012-11-24 16:10:16 +02:00
Aymeric Augustin
046300c43b [1.4.x] Restored Python 2.5 compatibility in m2m_through_regress tests. 
Refs #18823.
 2012-11-24 09:49:30 +01:00
Anssi Kääriäinen
c7dcb1d808 [1.4.x] Fixed SQLite's collapsing of same-valued instances in bulk_create 
SQLite used INSERT INTO tbl SELECT %s UNION SELECT %s, the problem
was that there should have been UNION ALL instead of UNION.

Refs #19351

Backpatch of a27582484cf814554907d2d1ad077852de36963f
 2012-11-24 01:28:25 +02:00
Anssi Kääriäinen
37c87b785d [1.4.x] Fixed #18823 -- Ensured m2m.clear() works when using through+to_field 
There was a potential data-loss issue involved -- when clearing
instance's m2m assignments it was possible some other instance's
m2m data was deleted instead.

This commit also improved None handling for to_field cases.

Backpatch of 611c4d6f1c24763e5e6e331a5dcf9b610288aaa8
 2012-10-28 17:38:26 +02:00
Preston Holmes
773a29295a Added missed poisoned host header test changes 2012-10-18 11:18:25 -07:00
Julien Phalip
cc0478606a [1.4.x] Fixed #18881 -- Made the context option in {% trans %} and {% blocktrans %} accept literals wrapped in single quotes. Thanks to lanyjie for the report. 2012-10-13 10:51:53 -07:00
Tim Graham
3ac70a5907 [1.4.X] Fixed #16817 - Added a guide of code coverage to contributing docs. 
Thanks Pedro Lima for the draft patch.

Backport of 06f5da3d78 from master
 2012-10-11 06:14:24 -04:00
Julien Phalip
336dfc3413 [1.4.X] Fixed #18530 -- Fixed a small regression in the admin filters where wrongly formatted dates passed as url parameters caused an unhandled ValidationError. Thanks to david for the report. 2012-09-15 16:33:56 -07:00
Anssi Kääriäinen
2326860851 [1.4.x] Fixed #17788 -- Added batch_size argument to qs.bulk_create() 
The qs.bulk_create() method did not work with large batches together
with SQLite3. This commit adds a way to split the bulk into smaller
batches. The default batch size is unlimited except for SQLite3 where
the batch size is limited to 999 SQL parameters per batch.

Thanks to everybody who participated in the discussions at Trac.

Backpatch of 29132ebdef0e0b9c09e456b05f0e6a22f1106a4f from master (with
documentation changes removed).
 2012-09-02 19:17:15 +03:00
Claude Paroz
92f7af3c36 [1.4.x] Fixed #18212 -- Standardized arguments of GenericIPAddressField 
Unlike other model fields, the newly introduced (1.4)
GenericIPAddressField did not accept verbose_name and name as the
first positional arguments. This commit fixes it.
Thanks Dan McGee for the report and the patch.

Backport of 306d34873cff2 from master.
 2012-09-01 18:39:51 +02:00
Florian Apolloner
e34685034b [1.4.x] Fixed a security issue in http redirects. Disclosure and new release forthcoming. 
Backport of 4129201c3e0fa057c198bdefcb34686a23b4a93c from master.
 2012-07-30 22:03:33 +02:00
Florian Apolloner
1c13cc023f [1.4.x] readd imports deleted in 4d2fdd 2012-06-04 13:24:05 +02:00
Julien Phalip
4d2fdd4185 [1.4.X] Fixed #18379 -- Made the sensitive_variables decorator work with object methods. 2012-06-03 23:59:01 -07:00
Michael Newman
0f69a16785 [1.4.x] Fixed #18135 -- Close connection used for db version checking 
On MySQL when checking the server version, a new connection could be
created but never closed. This could result in open connections on
server startup.

Backport of 4423757c0c50afbe2470434778c8d5e5b4a70925.
 2012-05-27 21:51:03 +03:00
Aymeric Augustin
a3c8201b77 [1.4.x] Fixed #17976 -- Made forms.BooleanField pickleable. 
Backport of 9350d1d59c1a4e6a9ac246a808f55da35de0df69 from master.

This was a regression in Django 1.4.
Thanks bronger for the report and claudep for the patch.
 2012-05-08 23:20:05 +02:00
Claude Paroz
3f77b84489 [1.4.X] Fixed #18027 -- Removed an HTMLParser test that doesn't raise any more in recent Python versions. Thanks Arfever and Anssi Kaariainen for the report and the patch. 
Backport of r17900 from trunk.


git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.4.X@17901 bcc190cf-cafb-0310-a4f2-bffc1f526a37
 2012-04-11 21:27:18 +00:00
Aymeric Augustin
01dfe35b38 [1.4.X] Fixed #18090 -- Applied filters when running prefetch_related backwards through a one-to-one relation. Backport of r17888 from trunk. 
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.4.X@17889 bcc190cf-cafb-0310-a4f2-bffc1f526a37
 2012-04-10 06:06:14 +00:00
Julien Phalip
a6ba67ffd1 [1.4.X] Fixed #18086 -- Restored '-pk' as the default order in the admin changelist. This rectifies a slight change in behavior introduced in Django 1.4 and r17635. 
Backport of r17881 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.4.X@17882 bcc190cf-cafb-0310-a4f2-bffc1f526a37
 2012-04-09 04:32:42 +00:00
Julien Phalip
aafa73db54 [1.4.X] Fixed #17972 -- Ensured that admin filters on a foreign key respect the to_field attribute. This fixes a regression introduced in [14674] and Django 1.3. Thanks to graveyboat and Karen Tracey for the report. 
Backport of r17854 from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.4.X@17858 bcc190cf-cafb-0310-a4f2-bffc1f526a37
 2012-03-31 18:46:18 +00:00