mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-07-09 04:09:12 +00:00
Code Issues 32 Releases Wiki Activity
30,267 Commits 29 Branches 451 Tags
Commit Graph

12034 Commits

Author SHA1 Message Date
Adam Johnson
23f0093125 [4.0.x] Fixed CVE-2022-41323 -- Prevented locales being interpreted as regular expressions. 
Thanks to Benjamin Balder Bach for the report.
 2022-09-27 10:26:46 +02:00
Carlton Gibson
b7d9529cbe [4.0.x] Fixed CVE-2022-36359 -- Escaped filename in Content-Disposition header. 
Thanks to Motoyasu Saburi for the report.
 2022-08-03 08:48:00 +02:00
Mariusz Felisiak
080359c4c5 [4.0.x] Fixed warnings per flake8 5.0.0. 
Backport of c18861804feb6a97afbeabb51be748dd60a04458 from main.
 2022-08-03 08:09:59 +02:00
Mariusz Felisiak
48501c84ad [4.0.x] Fixed RelatedGeoModelTest.test08_defer_only() on MySQL 8+ with MyISAM storage engine. 
Backport of 73766c118781a7f7052bf0a5fbee38b944964e31 from main
 2022-07-05 19:06:39 +02:00
Mariusz Felisiak
0dc9c016fa [4.0.x] Fixed CVE-2022-34265 -- Protected Trunc(kind)/Extract(lookup_name) against SQL injection. 
Thanks Takuto Yoshikai (Aeye Security Lab) for the report.
 2022-07-04 08:26:57 +02:00
Mariusz Felisiak
2b901c1be4 [4.0.x] Fixed GEOSTest.test_emptyCollections() on GEOS 3.8.0. 
It's a regression in GEOS 3.8.0 fixed in GEOS 3.8.1.
Backport of 863aa7541d30247e7eb7a973ff68a7d36f16dc02 from main
 2022-07-01 19:06:44 +02:00
Mariusz Felisiak
1c28443fc9 [4.0.x] Fixed CoveringIndexTests.test_covering_partial_index() when DEFAULT_INDEX_TABLESPACE is set. 
Backport of aa8b9279e40da343f5b91e5aec07f868184056f4 from main
 2022-06-21 11:43:53 +02:00
Sankalp
fe2e147846 [4.0.x] Fixed #33725 -- Made hidden quick filter in admin's navigation sidebar not focusable. 
Regression in d915dd1c5809d7c2bb3679751cd5277571dcd9f7.

Follow up to 780473d75625d014cbe9b0acdea40b7a5970d5d8.

Backport of 90dcf271147693a8897f644c4c8943c5b73c02f8 from main.
 2022-05-21 14:38:53 +02:00
David Wobrock
4a86883e0a [4.0.x] Fixed #33705 -- Fixed crash when using IsNull() lookup in filters. 
Thanks Florian Apolloner for the report.
Thanks Simon Charette for the review.

Backport of 9f5548952906c6ea97200c016734b4f519520a64 from main
 2022-05-19 07:53:06 +02:00
Mariusz Felisiak
5c6ebe19cc [4.0.x] Fixed #33681 -- Made Redis client pass CACHES["OPTIONS"] to a connection pool. 
Thanks Ben Picolo for the report.
Backport of d27e6b233f83c3429f21ff3c250a28ff302637ef from main
 2022-05-16 06:18:49 +02:00
Tim Graham
fe2140c1c2 [4.0.x] Removed 'tests' path prefix in a couple tests. 
Backport of 694cf458f16b8d340a3195244196980b2dec34fd from main
 2022-05-02 07:32:00 +02:00
Jacob Walls
3f5d43ce54 [4.0.x] Refs #31026 -- Changed @jinja2_tests imports to be relative. 
Backport of 03a648811615cb623affc2d79dccd4b05919319e from main
 2022-05-02 06:11:32 +02:00
Mariusz Felisiak
00b0fc50e1 [4.0.x] Fixed CVE-2022-28347 -- Protected QuerySet.explain(**options) against SQL injection on PostgreSQL. 
Backport of 6723a26e59b0b5429a0c5873941e01a2e1bdbb81 from main.
 2022-04-11 09:02:58 +02:00
Mariusz Felisiak
800828887a [4.0.x] Fixed CVE-2022-28346 -- Protected QuerySet.annotate(), aggregate(), and extra() against SQL injection in column aliases. 
Thanks Splunk team: Preston Elder, Jacob Davis, Jacob Moore,
Matt Hanson, David Briggs, and a security researcher: Danylo Dmytriiev
(DDV_UA) for the report.

Backport of 93cae5cb2f9a4ef1514cf1a41f714fef08005200 from main.
 2022-04-11 09:02:14 +02:00
Manel Clos
78e553b48a [4.0.x] Fixed #33628 -- Ignored directories with empty names in autoreloader check for template changes. 
Regression in 68357b2ca9e88c40fc00d848799813241be39129.

Backport of 62739b6e2630e37faa68a86a59fad135cc788cd7 from main.
 2022-04-11 08:29:10 +02:00
Mariusz Felisiak
7d540d67a8 [4.0.x] Fixed #33598 -- Reverted "Removed unnecessary reuse_with_filtered_relation argument from Query methods." 
Thanks lind-marcus for the report.

This reverts commit 0c71e0f9cfa714a22297ad31dd5613ee548db379.

Regression in 0c71e0f9cfa714a22297ad31dd5613ee548db379.
Backport of fac662f4798f7e4e0ed9be6b4fb4a87a80810a68 from main
 2022-03-30 07:32:38 +02:00
Mariusz Felisiak
efb26f1b8d [4.0.x] Reverted "Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+." 
This reverts commit 1d9d082acf6e152c06833bb9698f88d688b95e40.
Backport of abfdb4d7f384fb06ed9b7ca37b548542df7b5dda from main
 2022-03-26 12:28:33 +01:00
Mariusz Felisiak
6a80fd1465 [4.0.x] Fixed forms_tests.tests.test_renderers with Jinja 3.1.0+. 
See https://github.com/pallets/jinja/pull/1621.
Backport of 1d9d082acf6e152c06833bb9698f88d688b95e40 from main
 2022-03-25 08:49:57 +01:00
Mariusz Felisiak
82f25266bf [4.0.x] Fixed #33547 -- Fixed error when rendering invalid inlines with readonly fields in admin. 
Regression in de95c826673be9ea519acc86fd898631d1a11356.

Thanks David Glenck for the report.
Backport of 445b075def2c037b971518963b70ce13df5e88a2 from main
 2022-03-01 08:10:35 +01:00
Mariusz Felisiak
760b7e7f4f [4.0.x] Fixed #33515 -- Prevented recreation of migration for ManyToManyField to lowercased swappable setting. 
Thanks Chris Lee for the report.

Regression in 43289707809c814a70f0db38ca4f82f35f43dbfd.

Refs #23916.
Backport of 1e2e1be02bdf0fe4add0d0279dbca1d74ae28ad7 from main
 2022-02-16 21:10:30 +01:00
Mariusz Felisiak
3278c31fa5 [4.0.x] Refs #33476 -- Refactored code to strictly match 88 characters line length. 
Backport of 7119f40c9881666b6f9b5cf7df09ee1d21cc8344 from main.
 2022-02-08 19:25:02 +01:00
django-bot
6a682b38e7 [4.0.x] Refs #33476 -- Reformatted code with Black. 
Backport of 9c19aff7c7561e3a82978a272ecdaad40dda5c00 from main.
 2022-02-08 12:15:38 +01:00
Mariusz Felisiak
e73ce08888 [4.0.x] Refs #33476 -- Changed quotation marks in DebugViewTests.test_template_exceptions(). 
This prevents a failure after reformatting the code with Black.

Backport of f68fa8b45dfac545cfc4111d4e52804c86db68d3 from main
 2022-02-08 12:02:37 +01:00
Mariusz Felisiak
d55a1e5809 [4.0.x] Refs #33476 -- Refactored problematic code before reformatting by Black. 
In these cases Black produces unexpected results, e.g.

def make_random_password(
    self,
    length=10,
    allowed_chars='abcdefghjkmnpqrstuvwxyz' 'ABCDEFGHJKLMNPQRSTUVWXYZ' '23456789',
):

or

cursor.execute("""
SELECT ...
""",
    [table name],
)

Backport of c5cd8783825b5f6384417dac5f3889b4210b7d08 from main.
 2022-02-03 11:38:46 +01:00
Mariusz Felisiak
f9c7d48fdd [4.0.x] Fixed CVE-2022-23833 -- Fixed DoS possiblity in file uploads. 
Thanks Alan Ryan for the report and initial patch.

Backport of fc18f36c4ab94399366ca2f2007b3692559a6f23 from main.
 2022-02-01 07:44:49 +01:00
Markus Holtermann
0142204606 [4.0.x] Fixed CVE-2022-22818 -- Fixed possible XSS via {% debug %} template tag. 
Thanks Keryn Knight for the report.

Backport of 394517f07886495efcf79f95c7ee402a9437bd68 from main.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-02-01 07:43:45 +01:00
Kirill Safronov
6928227dff [4.0.x] Fixed #33480 -- Fixed makemigrations crash when renaming field of renamed model. 
Regression in aa4acc164d1247c0de515c959f7b09648b57dc42.

Backport of 97a72744681d0993b50dee952cf32cdf9650ad9f from main
 2022-02-01 07:33:22 +01:00
Mariusz Felisiak
aff79be03a [4.0.x] Fixed #33468 -- Fixed QuerySet.aggregate() after annotate() crash on aggregates with default. 
Thanks Adam Johnson for the report.
Backport of 71e7c8e73712419626f1c2b6ec036e8559a2d667 from main
 2022-01-31 11:34:29 +01:00
Mariusz Felisiak
7c2d4d943b [4.0.x] Fixed #33462 -- Fixed migration crash when altering type of primary key with MTI and foreign key. 
This prevents duplicated operations when altering type of primary key
with MTI and foreign key. Previously, a foreign key to the base model
was added twice, once directly and once by the inheritance model.

Thanks bcail for the report.

Regression in 325d7710ce9f6155bb55610ad6b4580d31263557.
Backport of e972620ada4f9ed7bc57f28e133e85c85b0a7b20 from main
 2022-01-27 18:52:35 +01:00
Fabian Büchler
b32080219e [4.0.x] Fixed #33449 -- Fixed makemigrations crash on models without Meta.order_with_respect_to but with _order field. 
Regression in aa4acc164d1247c0de515c959f7b09648b57dc42.

Backport of eeff1787b0aa23016e4844c0f537d5093a95a356 from main
 2022-01-21 08:46:14 +01:00
Keryn Knight
c8a6bf951b [4.0.x] Fixed #33426 -- Fixed ResolverMatch.__repr_() for class-based views. 
Regression in 7c08f26bf0439c1ed593b51b51ad847f7e262bc1.

Backport of f4b06a3cc1e54888ff86f36a1f9a3ddf21292314 from main
 2022-01-10 18:39:59 +01:00
Keryn Knight
2ea0321058 [4.0.x] Fixed #33425 -- Fixed view name for CBVs on technical 404 debug page. 
Regression in 0c0b87725bbcffca3bc3a7a2c649995695a5ae3b.

Backport of 2a66c102d9c674fadab252a28d8def32a8b626ec from main
 2022-01-08 14:54:10 +01:00
David
c959aa99aa [4.0.x] Fixed #33419 -- Restored marking forms.Field.help_text as HTML safe. 
Regression in 456466d932830b096d39806e291fe23ec5ed38d5.

Thanks Matt Westcott for the report.

Backport of 4c60c3edff4312303e1021fca47ed52c2152d285 from main
 2022-01-07 16:12:15 +01:00
Petter Friberg
11475958f6 [4.0.x] Fixed #33410 -- Fixed recursive capturing of callbacks by TestCase.captureOnCommitCallbacks(). 
Regression in d89f976bddb49fb168334960acc8979c3de991fa.

Backport of bc174e6ea0ce676c5a7f467bda9739e6ef6b6186 from main
 2022-01-07 16:12:01 +01:00
Florian Apolloner
e1592e0f26 [4.0.x] Fixed CVE-2021-45452 -- Fixed potential path traversal in storage subsystem. 
Thanks to Dennis Brinkrolf for the report.
 2022-01-04 10:10:14 +01:00
Florian Apolloner
2a8ec7f546 [4.0.x] Fixed CVE-2021-45116 -- Fixed potential information disclosure in dictsort template filter. 
Thanks to Dennis Brinkrolf for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:10:14 +01:00
Florian Apolloner
df79ef03ac [4.0.x] Fixed CVE-2021-45115 -- Prevented DoS vector in UserAttributeSimilarityValidator. 
Thanks Chris Bailey for the report.

Co-authored-by: Adam Johnson <me@adamj.eu>
 2022-01-04 10:10:14 +01:00
Mariusz Felisiak
b5f60ef5a7 [4.0.x] Refs #32355 -- Bumped required psycopg2 version to 2.8.4. 
psycopg2 2.8.4 is the first release to support Python 3.8.
Backport of ca04659b4b3f042c1bc7e557c25ed91e3c56c745 from main
 2021-12-22 20:33:49 +01:00
Simon Charette
7e6a2e3b45 [4.0.x] Fixed #33366 -- Fixed case handling with swappable setting detection in migrations autodetector. 
The migration framework uniquely identifies models by case insensitive
labels composed of their app label and model names and so does the app
registry in most of its methods (e.g. AppConfig.get_model) but it
wasn't the case for get_swappable_settings_name() until this change.

This likely slipped under the radar for so long and only regressed in
b9df2b74b98b4d63933e8061d3cfc1f6f39eb747 because prior to the changes
related to the usage of model states instead of rendered models in the
auto-detector the exact value settings value was never going through a
case folding hoop.

Thanks Andrew Chen Wang for the report and Keryn Knight for the
investigation.

Backport of 43289707809c814a70f0db38ca4f82f35f43dbfd from main
 2021-12-17 10:00:33 +01:00
Mariusz Felisiak
c1d2e8b9b8 [4.0.x] Fixed #33350 -- Reallowed using cache decorators with duck-typed HttpRequest. 
Regression in 3fd82a62415e748002435e7bad06b5017507777c.

Thanks Terence Honles for the report.
Backport of 40165eecc40f9e223702a41a0cb0958515bb1f82 from main
 2021-12-16 20:14:17 +01:00
Jeremy Lainé
3b03bce122 [4.0.x] Fixed #33361 -- Fixed Redis cache backend crash on booleans. 
Backport of 2f33217ea2cad688040dd6044cdda946c62e5b65 from main
 2021-12-14 08:46:16 +01:00
Baptiste Mispelon
15031852c5 [4.0.x] Fixed #33346 -- Fixed SimpleTestCase.assertFormsetError() crash on a formset named "form". 
Thanks OutOfFocus4 for the report.

Regression in 456466d932830b096d39806e291fe23ec5ed38d5.

Backport of cb383753c0e0eb52306e1024d32a782549c27e61 from main.
 2021-12-08 21:13:00 +01:00
Mariusz Felisiak
01c0fb9d19 [4.0.x] Updated asgiref dependency for 4.0 release series. 
Backport of 513441240f874dd0b6187c0c6aaa3e8eccd8ddbe from main
 2021-12-07 09:55:18 +01:00
Florian Apolloner
20b9ad36ff [4.0.x] Fixed #30530, CVE-2021-44420 -- Fixed potential bypass of an upstream access control based on URL paths. 
Thanks Sjoerd Job Postmus and TengMA(@te3t123) for reports.

Backport of d4dcd5b9dd9e462fec8220e33e3e6c822b7e88a6 from main.
 2021-12-07 06:29:34 +01:00
Mariusz Felisiak
4c5215ab03
[4.0.x] Updated translations from Transifex. 
This also fixes related i18n tests.

Co-authored-by: Claude Paroz <claude@2xlibre.net>
 2021-12-06 20:29:53 +01:00
Hannes Ljungberg
fed7f992ac [4.0.x] Fixed #33335 -- Made model validation ignore functional unique constraints. 
Regression in 3aa545281e0c0f9fac93753e3769df9e0334dbaa.

Thanks Hervé Le Roy for the report.

Backport of 1eaf38fa87384fe26d1abf6e389d6df1600d4d8c from main
 2021-12-06 13:28:54 +01:00
Mariusz Felisiak
7bde53a7ae [4.0.x] Refs #33333 -- Fixed PickleabilityTestCase.test_annotation_with_callable_default() crash on Oracle. 
Grouping by LOBs is not allowed on Oracle. This moves a binary field to
a separate model.
Backport of d3a64bea51676fcf8a0ae593cf7b103939e12c87 from main
 2021-12-04 15:55:31 +01:00
Mariusz Felisiak
2c20883cb0 [4.0.x] Fixed #33333 -- Fixed setUpTestData() crash with models.BinaryField on PostgreSQL. 
This makes models.BinaryField pickleable on PostgreSQL.

Regression in 3cf80d3fcf7446afdde16a2be515c423f720e54d.

Thanks Adam Zimmerman for the report.

Backport of 2c7846d992ca512d36a73f518205015c88ed088c from main.
 2021-12-03 11:58:55 +01:00
Can Sarigol
d54aa49a7d [4.0.x] Fixed #33279 -- Fixed handling time zones with "-" sign in names. 
Thanks yakimka for the report.

Regression in fde9b7d35e4e185903cc14aa587ca870037941b1.

Backport of 661316b066923493ff91d6d2aa92e463f595a6b1 from main.
 2021-11-12 11:14:08 +01:00
Mariusz Felisiak
45de30dc69 [4.0.x] Refs #33263 -- Added warning to BaseDeleteView when delete() method is overridden. 
Follow up to 3a45fea0832c5910acee6e0d29f230f347a50462.
Backport of 6bc437c0d82675ebe6aa92c8e249892205c316ef from main
 2021-11-09 09:04:12 +01:00