django http://cgit.adnoto.dev/django.git/atom?h=main 2026-03-03T12:09:32Z 2026-03-03T12:09:32Z Natalia 124304+nessita@users.noreply.github.com 2026-01-21T21:03:20Z urn:sha1:019e44f67a8dace67b786e2818938c8691132988 This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. 2026-03-03T12:08:46Z Natalia 124304+nessita@users.noreply.github.com 2026-01-30T01:52:41Z urn:sha1:951ffb3832cd83ba672c1e3deae2bda128eb9cca This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> 2026-02-24T16:47:37Z Natalia 124304+nessita@users.noreply.github.com 2026-02-20T17:49:16Z urn:sha1:acd0bec51366e259b4c2b43e4c09755541cdf560 2026-02-10T21:51:55Z 93578237 43147888+93578237@users.noreply.github.com 2026-02-09T21:06:50Z urn:sha1:56ed37e17e5b1a509aa68a0c797dcff34fcc1366 Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. 2026-02-10T21:51:55Z Jacob Walls jacobtylerwalls@gmail.com 2026-02-09T21:05:55Z urn:sha1:2c2d36376a0ce0edc048c077a60be6e3b953bb09