django.git, branch 5.2.12 django http://cgit.adnoto.dev/django.git/atom?h=5.2.12 2026-03-03T12:18:46Z [5.2.x] Bumped version for 5.2.12 release. 2026-03-03T12:18:46Z Natalia 124304+nessita@users.noreply.github.com 2026-03-03T12:18:46Z urn:sha1:4f382ca672f86dd4a1e4d071c91d0caad0e124b3 [5.2.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation. 2026-03-03T12:17:39Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T21:03:20Z urn:sha1:b07ed2a1e445efde54fc64cb8c37e0f4f7fe53e5 This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main. [5.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. 2026-03-03T12:16:53Z Natalia 124304+nessita@users.noreply.github.com 2026-01-30T01:52:41Z urn:sha1:4d3c184686626d224d9a87451410ecf802b41f7c This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main. [5.2.x] Refs #36944 -- Added missing versionchanged annotation for MAX_LENGTH_HTML change. 2026-03-02T19:18:12Z Jacob Walls jacobtylerwalls@gmail.com 2026-02-25T16:30:49Z urn:sha1:94e7f17e0e507a14f30a30f4af2b0213fd9675fc [5.2.x] Pinned black == 25.12.0 for black docs checks and ensured they pass. 2026-03-02T18:53:11Z Natalia 124304+nessita@users.noreply.github.com 2026-03-02T18:34:52Z urn:sha1:951fe8b0257cd4163a4b9639a10e5fa9b8cbcb92 [5.2.x] Aligned docs checks between GitHub Actions and local development. 2026-03-02T18:10:49Z Natalia 124304+nessita@users.noreply.github.com 2026-02-27T14:19:20Z urn:sha1:1db60ed34f869c3f5aa3f7f861532813a46cc9d8 Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main. [5.2.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit references from HTML truncation docs. 2026-02-25T16:12:17Z Natalia 124304+nessita@users.noreply.github.com 2026-02-25T13:37:38Z urn:sha1:703777cbbc268f62083c703fa27fa582b54bcc93 Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main. [5.2.x] Pinned black == 25.12.0 in GitHub actions, pre-commit and test requirements. 2026-02-24T19:41:06Z Natalia 124304+nessita@users.noreply.github.com 2026-02-24T19:21:05Z urn:sha1:a73eed2b5d6dbc78e95482dbd79809b4bd6dd1fd [5.2.x] Bumped minimum isort version to 7.0.0. 2026-02-24T19:08:08Z Jacob Walls jacobtylerwalls@gmail.com 2025-10-16T14:33:54Z urn:sha1:490e49556449edc6d566017342c62473ca2a309b Added ignores relating to https://github.com/PyCQA/isort/issues/2352. Backport of d980d68609448a4c85763fa34e471ff80540888b from main. [5.2.x] Added stub release notes and release date for 5.2.12 and 4.2.29. 2026-02-24T16:50:38Z Natalia 124304+nessita@users.noreply.github.com 2026-02-20T17:49:16Z urn:sha1:2bc009bfae88c062c2cf0f730a91e99ea66bf4ed Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.