django.git, branch 6.0.3 django http://cgit.adnoto.dev/django.git/atom?h=6.0.3 2026-03-03T12:13:06Z [6.0.x] Bumped version for 6.0.3 release. 2026-03-03T12:13:06Z Natalia 124304+nessita@users.noreply.github.com 2026-03-03T12:13:06Z urn:sha1:a0d3bdb5b0a22cdbb4d3f7e5eabd7fe0f7311f68 [6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions on file system object creation. 2026-03-03T12:12:00Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T21:03:20Z urn:sha1:264d5c70ef3281a8869cb2ad45a3a52d5adbe790 This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main. [6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. 2026-03-03T12:10:53Z Natalia 124304+nessita@users.noreply.github.com 2026-01-30T01:52:41Z urn:sha1:b1444d9acf43db9de96e0da2b4737ad56af0eb76 This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main. [6.0.x] Fixed #36961 -- Fixed TypeError in deprecation warnings if Django is imported by namespace. 2026-03-02T19:08:42Z Jacob Walls jacobtylerwalls@gmail.com 2026-02-27T19:43:55Z urn:sha1:1b22d53bf67943cd193bbd6e327d955c19d2f5d2 Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main. [6.0.x] Ensured spelling checks pass OK. 2026-03-02T18:52:45Z Natalia 124304+nessita@users.noreply.github.com 2026-03-02T18:41:06Z urn:sha1:27ed90a8a829aa25f2ff3dc121f8429c2b06f662 Follow up to 659bacfe54c2a28eb2e0589c1c721f1a99720ad2. [6.0.x] Aligned docs checks between GitHub Actions and local development. 2026-03-02T18:07:30Z Natalia 124304+nessita@users.noreply.github.com 2026-02-27T14:19:20Z urn:sha1:659bacfe54c2a28eb2e0589c1c721f1a99720ad2 Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main. [6.0.x] Adjusted default DoS severity level in Security Policy. 2026-02-26T15:21:01Z Natalia 124304+nessita@users.noreply.github.com 2026-02-26T13:20:21Z urn:sha1:e65c412241578ead6dc17e9dc7280630a180d1c0 Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main. [6.0.x] Fixed #36848 -- Mentioned BadRequest exception in docs/ref/views.txt. 2026-02-25T19:55:47Z LincolnPuzey 18750802+LincolnPuzey@users.noreply.github.com 2026-02-25T19:55:21Z urn:sha1:5b7025317fcf817f8d2e72d871dccd437eb4db72 Backport of 4aefc9ea51cc2d78f43b1dc2aa69732e55d18a56 from main. [6.0.x] Fixed #36951 -- Removed empty exc_info from log_task_finished signal handler. 2026-02-25T18:53:10Z Elias Hernandis elias@hernandis.me 2026-02-18T07:10:40Z urn:sha1:3a04b226edda13499ab61e24c1812114ad309231 Before, if no exception occurred, "None Type: None" was logged. Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main. [6.0.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit references from HTML truncation docs. 2026-02-25T16:09:57Z Natalia 124304+nessita@users.noreply.github.com 2026-02-25T13:37:38Z urn:sha1:d112203b19946659335db6462043f8652e6700a1 Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.