django http://cgit.adnoto.dev/django.git/atom?h=6.0.4 2026-04-07T11:25:55Z 2026-04-07T11:25:55Z Jacob Walls jacobtylerwalls@gmail.com 2026-04-07T11:25:55Z urn:sha1:141e791f48592011b0f38fb30d44291e3ce74ee0 2026-04-07T11:22:54Z Natalia 124304+nessita@users.noreply.github.com 2026-03-11T13:26:18Z urn:sha1:393dbc53e848876fdba92fbf02e10ee6a6eace6b The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main. 2026-04-07T11:22:16Z Natalia 124304+nessita@users.noreply.github.com 2026-03-05T17:41:44Z urn:sha1:0910af60468216c856dfbcac1177372c225deb76 When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main. 2026-04-07T11:21:29Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-16T22:05:22Z urn:sha1:428c48f358c5a0ed5ca2834fb721d615eb2b0e11 Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main. 2026-04-07T11:20:52Z Jacob Walls jacobtylerwalls@gmail.com 2026-03-12T15:00:05Z urn:sha1:08a752c1cd8f378b4c64d96c319da23726df6ed3 Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews. Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main. 2026-04-07T11:20:07Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-22T22:01:46Z urn:sha1:a623c3982857e80324448f85c7faf9a6710330ef Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews. Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main. 2026-04-03T19:29:55Z Tim Graham timograham@gmail.com 2026-04-03T13:13:11Z urn:sha1:ffc83c554a7bc99e138445fa2c4beaf0ca17c71c Backport of 123fa3a3f38abdb73055acc9a2cbbe3537f9323a from main. 2026-04-02T19:54:46Z Clifford Gama cliffygamy@gmail.com 2026-03-10T15:47:18Z urn:sha1:4eb38f6994f233feeac5852cbee2ae6663a9b1ef Clashes were only detected for self-referential relationships, i.e. ForeignKey("self"). Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011. Thanks JaeHyuckSa for the thorough review! Backport of fcf916884d25ed430bd7cedaea2b10035c2aa3b6 from main. 2026-04-02T15:26:32Z Jacob Walls jacobtylerwalls@gmail.com 2026-04-02T13:24:04Z urn:sha1:640c431a47c4075538e1de0211501f911346b65e Backport of 04bcc9913319e50b376a27c29cf9aa4e7b8247bf from main. 2026-04-02T15:10:12Z David Smith smithdc@gmail.com 2026-03-30T22:16:32Z urn:sha1:ea8e293fda0dd1e78f5489efa73e5d19e195b4f0 Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 253f552c5809fa096116b601bd842ca4f3504860 from main.