mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-10 12:49:13 +00:00
Code Issues 32 Releases Wiki Activity
27,051 Commits 29 Branches 451 Tags
Commit Graph

27051 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mariusz Felisiak
e541f2d05b [2.2.x] Bumped version for 2.2.27 release. 2.2.27 2022-02-01 08:07:46 +01:00
Mariusz Felisiak
c477b76180 [2.2.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. 
Thanks Alan Ryan for the report and initial patch.

Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
 2022-02-01 07:57:28 +01:00
Markus Holtermann
c27a7eb9f4 [2.2.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. 
Thanks Keryn Knight for the report.

Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-02-01 07:56:29 +01:00
Mariusz Felisiak
4cafd3aacb [2.2.x] Added stub release notes 2.2.27. 
Backport of eeca9342381c8583be16f18942774e785ab7e527 from main.
 2022-01-25 07:29:28 +01:00
Carlton Gibson
77d0fe5868 [2.2.x] Added CVE-2021-45115, CVE-2021-45116, and CVE-2021-45452 to security archive. 
Backport of 63869ab1f191ab5781cde8b813b838300455f6d6 from main
 2022-01-04 11:39:54 +01:00
Carlton Gibson
e085d46e4b [2.2.x] Post-release version bump. 2022-01-04 10:36:12 +01:00
Carlton Gibson
44e7cca623 2.2.x] Bumped version for 2.2.26 release. 2.2.26 2022-01-04 10:30:01 +01:00
Florian Apolloner
4cb35b384c [2.2.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. 
Thanks to Dennis Brinkrolf for the report.
 2022-01-04 10:20:31 +01:00
Florian Apolloner
c9f648ccfa [2.2.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. 
Thanks to Dennis Brinkrolf for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:20:31 +01:00
Florian Apolloner
2135637fdd [2.2.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. 
Thanks Chris Bailey for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:20:31 +01:00
Carlton Gibson
03b733d8a8 [2.2.x] Added stub release notes for 2.2.26 release. 2021-12-28 10:10:15 +01:00
Mariusz Felisiak
b87820668e [2.2.x] Refs #33365, Refs #30530 -- Doc'd re_path() behavior change in Django 2.2.25, 3.1.14, and 3.2.10. 
Follow up to d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6.
Backport of 5de12a369a7b2231e668e0460c551c504718dbf6 from main
 2021-12-15 18:56:38 +01:00
Mariusz Felisiak
573e70ea48 [2.2.x] Added CVE-2021-44420 to security archive. 
Backport of 8747052411275d290b2152ffcb8dee11afbb82cd from main
 2021-12-07 08:56:25 +01:00
Mariusz Felisiak
8439938602 [2.2.x] Post-release version bump. 2021-12-07 07:05:38 +01:00
Mariusz Felisiak
79d8dcefb2 [2.2.x] Bumped version for 2.2.25 release. 2.2.25 2021-12-07 07:03:33 +01:00
Florian Apolloner
7cf7d74e8a [2.2.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
 2021-12-07 07:02:14 +01:00
Mariusz Felisiak
0007a5f9fa [2.2.x] Added requirements.txt to files ignored by Sphinx builds. 
Backport of 0cf2d48ba83543b16bdf390d941eb98e8d34f3bd from stable/3.2.x.
 2021-11-30 12:12:07 +01:00
Mariusz Felisiak
fac0fdd95d [2.2.x] Added stub release notes for 2.2.25. 
Backport of ae4077e13ea2e4c460c3f21b9aab93a696590851 from main.
 2021-11-30 11:31:56 +01:00
Mariusz Felisiak
4bc10b7955 [2.2.x] Fixed crash building HTML docs since Sphinx 4.3. 
See dd2ff3e911.
Backport of f0480ddd2d3cb04b784cf7ea697f792b45c689cc from main
 2021-11-18 13:33:29 +01:00
Adam Johnson
5289fcfffe [2.2.x] Configured Read The Docs to build all formats. 
`all` acts as an alias for all formats ([docs](https://docs.readthedocs.io/en/stable/config-file/v2.html#formats)). Whilst there are only three formats right now, this would auto expand to other formats in the future, which seems desirable?
Backport of 1fe23bdd29a8f2f6802c2038702ff7a5d0e21a0d from main
 2021-11-18 12:25:47 +01:00
Carlton Gibson
9a4a2b2089 [2.2.x] Refs #33247 -- Corrected configuration for Read The Docs. 
This pins Sphinx version, because the default Sphinx version used by
RTD is not compatible with Python 3.8+.

This also, sets Python 3.8 for RTD builds which is compatible with all
current versions of Django.

Thanks to Mariusz Felisiak for the suggestion.

Backport of 447b6c866f0741bb68c92dc925a65fb15bfe7995 from main.
 2021-11-03 19:05:19 +01:00
Carlton Gibson
029c830b71 [2.2.x] Fixed #33247 -- Added configuration for Read The Docs. 
Co-authored-by: Andrew Neitsch <andrew@neitsch.ca>

Backport of 0da7a2e9dab81b622a2000536c6a96de7f46e237 from main
 2021-11-03 19:04:59 +01:00
Mariusz Felisiak
12141e3116
[2.2.x] Refs #32856 -- Clarified that psycopg2 < 2.9 is required. 
Follow up to 837ffcfa681d0f65f444d881ee3d69aec23770be.
 2021-11-03 08:42:27 +01:00
Mariusz Felisiak
cf63dd5c1b [2.2.x] Added 'formatter' to spelling wordlist. 
Backport of e43a131887e2a316d4fb829c3a272ef0cbbeea80 from main
 2021-10-12 15:18:17 +02:00
Mariusz Felisiak
05bc1c81aa [2.2.x] Fixed #33082 -- Fixed CommandTests.test_subparser_invalid_option on Python 3.9.7+. 
Thanks Michał Górny for the report.

Backport of 50ed545e2fa02c51e0d1559b83624f256e4b499b from main.
 2021-09-02 11:06:10 +02:00
Mariusz Felisiak
a9c0aa11e7 [2.2.x] Refs #31676 -- Updated technical board description in organization docs. 
According to DEP 0010.

Backport of f2ed2211c26ba375390cb76725c95ae970a0fd1d from main.
 2021-07-30 11:53:15 +02:00
Mariusz Felisiak
66008c2af0 [2.2.x] Refs #31676 -- Added Mergers and Releasers to organization docs. 
According to DEP 0010.

Backport of 228ec8e015bac9751c8aef3107358fbb2cb3301b from main
 2021-07-30 11:52:46 +02:00
Mariusz Felisiak
d4d1c2b3db [2.2.x] Refs #31676 -- Removed Core team from organization docs. 
According to DEP 0010.

Backport of caa2dd08c4722c8702588f5dfe1fa4c506aa66fc from main
 2021-07-30 11:52:43 +02:00
Mariusz Felisiak
8f59f72a20 [2.2.x] Refs #31676 -- Removed Django Core-Mentorship mailing list references in docs. 
Backport of 37e8367c359cd115f109d82f99ff32be219f4928 from main.
 2021-07-13 20:26:17 +02:00
Mariusz Felisiak
837ffcfa68
[2.2.x] Refs #32856 -- Doc'd that psycopg2 < 2.9 is required. 2021-06-21 13:06:31 +02:00
Mariusz Felisiak
dc43667eab [2.2.x] Fixed docs header underlines in security archive. 
Backport of d9cee3f5f2f90938d2c2c0230be40c7d50aef53d from main
 2021-06-02 12:29:11 +02:00
Carlton Gibson
3e7bb564be [2.2.x] Added CVE-2021-33203 and CVE-2021-33571 to security archive. 
Backport of a39f235ca4cb7370dba3a3dedeaab0106d27792f from main
 2021-06-02 11:19:59 +02:00
Carlton Gibson
48bde7cab4 [2.2.x] Post-release version bump. 2021-06-02 10:36:52 +02:00
Carlton Gibson
2da029d854 [2.2.x] Bumped version for 2.2.24 release. 2.2.24 2021-06-02 10:28:20 +02:00
Mariusz Felisiak
f27c38ab5d [2.2.x] Fixed CVE-2021-33571 -- Prevented leading zeros in IPv4 addresses. 
validate_ipv4_address() was affected only on Python < 3.9.5, see [1].
URLValidator() uses a regular expressions and it was affected on all
Python versions.

[1] https://bugs.python.org/issue36384
 2021-06-02 10:26:22 +02:00
Florian Apolloner
053cc9534d [2.2.x] Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView. 2021-06-02 10:26:22 +02:00
Carlton Gibson
6229d8794f [2.2.x] Confirmed release date for Django 2.2.24. 
Backport of f66ae7a2d5558fe88ddfe639a610573872be6628 from main.
 2021-06-02 10:23:20 +02:00
Carlton Gibson
f163ad5c63 [2.2.x] Added stub release notes and date for Django 2.2.24. 
Backport of b46dbd4e3e255223078ae0028934ea986e19ebc1 from main
 2021-05-26 10:21:53 +02:00
Mariusz Felisiak
bed1755bc5 [2.2.x] Changed IRC references to Libera.Chat. 
Backport of 66491f08fe86629fa25977bb3dddda06959f65e7 from main.
 2021-05-20 12:42:48 +02:00
Mariusz Felisiak
63f0d7a0f6 [2.2.x] Refs #32718 -- Fixed file_storage.test_generate_filename and model_fields.test_filefield tests on Python 3.5. 2021-05-14 06:59:11 +02:00
Mariusz Felisiak
5fe4970bd0 [2.2.x] Post-release version bump. 2021-05-13 09:22:34 +02:00
Mariusz Felisiak
61f814f9fa [2.2.x] Bumped version for 2.2.23 release. 2.2.23 2021-05-13 09:19:56 +02:00
Mariusz Felisiak
b8ecb06436 [2.2.x] Fixed #32718 -- Relaxed file name validation in FileField. 
- Validate filename returned by FileField.upload_to() not a filename
  passed to the FileField.generate_filename() (upload_to() may
  completely ignored passed filename).
- Allow relative paths (without dot segments) in the generated filename.

Thanks to Jakub Kleň for the report and review.
Thanks to all folks for checking this patch on existing projects.
Thanks Florian Apolloner and Markus Holtermann for the discussion and
implementation idea.

Regression in 0b79eb36915d178aef5c6a7bbce71b1e76d376d3.

Backport of b55699968fc9ee985384c64e37f6cc74a0a23683 from main.
 2021-05-13 09:00:25 +02:00
Mariusz Felisiak
3ba089ac7e [2.2.x] Refs #32718 -- Corrected CVE-2021-31542 release notes. 
Backport of d1f1417caed648db2f81a1ec28c47bf958c01958 from main.
 2021-05-12 10:44:25 +02:00
Mariusz Felisiak
88d9b28c0c [2.2.x] Added CVE-2021-32052 to security archive. 
Backport of efebcc429f048493d6bc710399e65d98081eafd5 from main
 2021-05-06 10:05:46 +02:00
Mariusz Felisiak
7ada1f90c6 [2.2.x] Post-release version bump. 2021-05-06 09:10:34 +02:00
Mariusz Felisiak
df9fd4661e [2.2.x] Bumped version for 2.2.22 release. 2.2.22 2021-05-06 09:08:28 +02:00
Mariusz Felisiak
d9594c4ea5 [2.2.x] Fixed #32713, Fixed CVE-2021-32052 -- Prevented newlines and tabs from being accepted in URLValidator on Python 3.9.5+. 
In Python 3.9.5+ urllib.parse() automatically removes ASCII newlines
and tabs from URLs [1, 2]. Unfortunately it created an issue in
the URLValidator. URLValidator uses urllib.urlsplit() and
urllib.urlunsplit() for creating a URL variant with Punycode which no
longer contains newlines and tabs in Python 3.9.5+. As a consequence,
the regular expression matched the URL (without unsafe characters) and
the source value (with unsafe characters) was considered valid.

[1] https://bugs.python.org/issue43882 and
[2] 76cd81d603

Backport of e1e81aa1c4427411e3c68facdd761229ffea6f6f from main.
 2021-05-06 08:53:27 +02:00
Carlton Gibson
163700388c [2.2.x] Refs CVE-2021-31542 -- Skipped mock AWS storage test on Windows. 
The validate_file_name() sanitation introduced in
0b79eb36915d178aef5c6a7bbce71b1e76d376d3 correctly rejects the example
file name as containing path elements on Windows. This breaks the test
introduced in 914c72be2abb1c6dd860cb9279beaa66409ae1b2 to allow path
components for storages that may allow them.

Test is skipped pending a discussed storage refactoring to support this
use-case.

Backport of a708f39ce67af174df90c5b5e50ad1976cec7cb8 from main
 2021-05-06 07:44:15 +02:00
Carlton Gibson
bcafd9ba84 [2.2.x] Added CVE-2021-31542 to security archive. 
Backport of 607ebbfba915de2d84eb943aa93654f31817a709 and
62b2e8b37e37a313c63be40e3223ca4e830ebde3 from main
 2021-05-04 11:14:17 +02:00