1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00
Commit Graph

13 Commits

Author SHA1 Message Date
Simon Charette
c87bfaacf8 Fixed CVE-2024-42005 -- Mitigated QuerySet.values() SQL injection attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
2024-08-06 08:50:08 +02:00
Mariusz Felisiak
5f1757142f Fixed CVE-2024-41991 -- Prevented potential ReDoS in django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.

Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
2024-08-06 08:50:08 +02:00
Sarah Boyce
ecf1f8fb90 Fixed CVE-2024-41990 -- Mitigated potential DoS in urlize and urlizetrunc template filters.
Thanks to MProgrammer for the report.
2024-08-06 08:50:08 +02:00
Sarah Boyce
c19465ad87 Fixed CVE-2024-41989 -- Prevented excessive memory consumption in floatformat.
Thanks Elias Myllymäki for the report.

Co-authored-by: Shai Berger <shai@platonix.com>
2024-08-06 08:50:08 +02:00
Sarah Boyce
8deb6bb1fc
Fixed #35657 -- Made FileField handle db_default values. 2024-08-05 16:36:49 -03:00
David Sanders
509763c799 Fixed #35638 -- Updated validate_constraints to consider db_default. 2024-08-05 17:33:12 +02:00
John Parton
7f8d839722 Fixed #35628 -- Allowed compatible GeneratedFields for ModelAdmin.date_hierarchy. 2024-08-05 15:27:20 +02:00
Sarah Boyce
3f88089069 Added stub release notes and release date for 5.0.8 and 4.2.15. 2024-07-31 11:21:32 +02:00
Lorenzo Peña
0e94f292cd Fixed #35627 -- Raised a LookupError rather than an unhandled ValueError in get_supported_language_variant().
LocaleMiddleware didn't handle the ValueError raised by
get_supported_language_variant() when language codes were
over 500 characters.

Regression in 9e9792228a.
2024-07-25 09:38:46 +02:00
Simon Charette
f359990e49 Fixed #35625 -- Fixed a crash when adding a field with db_default and check constraint.
This is the exact same issue as refs #30408 but for creating a model with a
constraint containing % escapes instead of column addition. All of these issues
stem from a lack of SQL and parameters separation from the BaseConstraint DDL
generating methods preventing them from being mixed with other parts of the
schema alteration logic that do make use of parametrization on some backends
(e.g. Postgres, MySQL for DEFAULT).

Prior to the addition of Field.db_default and GeneratedField in 5.0
parametrization of DDL was never exercised on model creation so this is
effectively a bug with db_default as the GeneratedField case was addressed by
refs #35336.

Thanks Julien Chaumont for the report and Mariusz Felisiak for the review.
2024-07-25 07:48:53 +02:00
Hisham Mahmood
182f262b15 Fixed #35606, Refs #34045 -- Fixed rendering of ModelAdmin.action_checkbox for models with a __html__ method.
Thank you Claude Paroz for the report.

Regression in 85366fbca7.
2024-07-18 08:09:37 +02:00
Simon Charette
adc0b6aac3 Fixed #35594 -- Added unique nulls distinct validation for expressions.
Thanks Mark Gensler for the report.
2024-07-17 12:52:17 +02:00
Natalia
9c356144d7 Added stub release notes for 5.0.8. 2024-07-09 11:41:28 -03:00