django.git/django/forms, branch stable/5.2.x django http://cgit.adnoto.dev/django.git/atom?h=stable%2F5.2.x 2026-03-03T12:16:53Z [5.2.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection. 2026-03-03T12:16:53Z Natalia 124304+nessita@users.noreply.github.com 2026-01-30T01:52:41Z urn:sha1:4d3c184686626d224d9a87451410ecf802b41f7c This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main. [5.2.x] Applied Black's 2025 stable style. 2025-03-01T18:47:17Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-03-01T18:41:37Z urn:sha1:53bb1d5a240a39d35abc11c6477ac5465c5fac2c https://github.com/psf/black/releases/tag/25.1.0 Backport of ff3aaf036f0cb66cd8f404cd51c603e68aaa7676 from main Fixed #35521 -- Allowed overriding BoundField class on fields, forms and renderers. 2025-01-15T20:04:26Z Matthias Kestenholz mk@feinheit.ch 2025-01-15T20:04:26Z urn:sha1:6a7ee02f5994c65bbefe92a3da74f22326970cf9 Thank you Sarah Boyce, Carlton Gibson, Tim Schilling and Adam Johnson for reviews. Co-authored-by: Christophe Henry <contact@c-henry.fr> Co-authored-by: David Smith <smithdc@gmail.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Co-authored-by: Matthias Kestenholz <mk@feinheit.ch> Fixed CVE-2024-56374 -- Mitigated potential DoS in IPv6 validation. 2025-01-14T11:42:24Z Michael Manfre mike@manfre.net 2024-12-12T02:39:32Z urn:sha1:ca2be7724e1244a4cb723de40a070f873c6e94bf Thanks Saravana Kumar for the report, and Sarah Boyce and Mariusz Felisiak for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Fixed #32819 -- Added aria-describedby to fields with errors. 2025-01-02T15:40:39Z David Smith smithdc@gmail.com 2023-11-19T19:26:12Z urn:sha1:987854ba44b497b195536199f8f6d1dc440a43ca Fixed #35886 -- Added support for object-based form media script assets. 2025-01-02T12:08:13Z Johannes Maron johannes@maron.family 2024-11-07T09:21:25Z urn:sha1:989329344aabe8ef7a5e55bebfde53f0e00f42e2 Refs #32819 -- Added aria-describedby property to BoundField. 2024-12-17T11:04:44Z David Smith smithdc@gmail.com 2024-12-13T08:20:27Z urn:sha1:1e05431881d64e5e009cd9a709225744c05a48f1 Fixed #35987 -- Made ErrorList.copy() copy the renderer attribute. 2024-12-10T11:14:52Z Adam Johnson me@adamj.eu 2024-12-09T15:40:47Z urn:sha1:4806c42efac790dd65bc890b85904df7bdeb1309 Fixed #35988 -- Made BaseForm.full_clean() pass renderer to ErrorDict. 2024-12-10T11:13:43Z Adam Johnson me@adamj.eu 2024-12-09T11:17:25Z urn:sha1:02628c051c18d000256424daffe996c22bed5ae3 Refs #32819 -- Added id to ErrorList class and template. 2024-12-05T09:24:39Z David Smith smithdc@gmail.com 2023-11-18T20:36:45Z urn:sha1:edd74c3417fa3a0b29295012ff31dbe44843303c