django http://cgit.adnoto.dev/django.git/atom?h=4.2.30 2026-04-07T11:46:16Z 2026-04-07T11:46:16Z Jacob Walls jacobtylerwalls@gmail.com 2026-04-07T11:46:16Z urn:sha1:3396992e837d5146270ea8112bb622c83fa4a919 2026-04-07T11:43:51Z Natalia 124304+nessita@users.noreply.github.com 2026-03-11T13:26:18Z urn:sha1:ed4dfda62718a0bb644b80ac8b1d3099861f2295 The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main. 2026-04-07T11:42:38Z Natalia 124304+nessita@users.noreply.github.com 2026-03-05T17:41:44Z urn:sha1:f13c20f81b56108ac477213fa5ada2524b5e5c98 When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main. 2026-04-07T11:42:18Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-16T22:05:22Z urn:sha1:abfe1a1c57a57cfaf6dd4a0571c029401a0fe743 Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main. 2026-04-07T11:41:45Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-12T15:00:05Z urn:sha1:051f3909e820360bbe84a21350e82f4961e3d917 Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews. Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main. 2026-04-07T11:41:16Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-22T22:01:46Z urn:sha1:4412731aa64d62a6dd7edae79e0c15b72666d7ca Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews. Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main. 2026-03-31T16:32:54Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-27T20:13:25Z urn:sha1:8d2a05c35dafc71d21fc68a6eb81aa6cdd190270 Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main. 2026-03-17T01:16:24Z Natalia 124304+nessita@users.noreply.github.com 2026-03-09T13:50:44Z urn:sha1:b1d9ea4ff3c8e8597a5ff6c686a681bbaf7240be This reuses the same download for both artifacts and checks both GPG signature and minimal correctness in the same script. Docs and script do_django_release.py were updated. Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main. 2026-03-03T14:07:21Z Natalia 124304+nessita@users.noreply.github.com 2026-03-03T14:03:22Z urn:sha1:385678e529a6740a339d54a7a21ec623c826c22c Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main. 2026-03-03T12:25:57Z Natalia 124304+nessita@users.noreply.github.com 2026-03-03T12:25:57Z urn:sha1:69de8468834358cb92ce2971c356a64dab8709b8