django http://cgit.adnoto.dev/django.git/atom?h=main 2025-06-04T11:33:30Z 2025-06-04T11:33:30Z Natalia 124304+nessita@users.noreply.github.com 2025-05-20T18:29:52Z urn:sha1:a07ebec5591e233d8bbb38b7d63f35c5479eef0e Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> 2025-06-04T08:46:49Z Simon Charette charette.s@gmail.com 2025-06-04T02:34:39Z urn:sha1:08187c94ed02c45ad40a32244dedeaa7ac71ca87 Regression in 626d77e52a3f247358514bcf51c761283968099c. Refs #36116. Thanks Cornelis Poppema for the excellent report. 2025-06-03T19:10:41Z Jake Howard git@theorangeone.net 2025-05-27T16:00:29Z urn:sha1:c075508b4de8edf9db553b409f8a8ed2f26ecead HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews. 2025-06-03T15:45:15Z Jacob Walls jacobtylerwalls@gmail.com 2025-05-24T18:03:07Z urn:sha1:26313bc21932d0d3af278ab387549d63b1f64575 2025-06-03T01:25:14Z Blayze blayze@carstickers.com 2025-05-28T18:22:29Z urn:sha1:90429625a85f1f77dfea200c91bd2dabab57974f In the admin's filter_horizontal widget, optional action buttons like "Choose all", "Remove all", etc. were changed from `<a>` to `<button>` elements in #34619, but without specifying `type="button"`. As a result, when pressing Enter while focused on a form input, these buttons could be triggered and intercept form submission. Explicitly set `type="button"` on these control buttons to prevent them from acting as submit buttons. Thanks Antoliny Lee for the quick triage and review. Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a. 2025-05-28T13:03:06Z Natalia 124304+nessita@users.noreply.github.com 2025-05-28T13:03:06Z urn:sha1:1a744343999c9646912cee76ba0a2fa6ef5e6240 2025-05-23T14:15:59Z Adam Johnson me@adamj.eu 2025-05-21T12:48:59Z urn:sha1:c2615a050036eda0bca090c707191076220cee9f co-authored-by: Simon Charette <charette.s@gmail.com> 2025-05-23T13:17:20Z Adam Johnson me@adamj.eu 2025-05-21T14:16:12Z urn:sha1:b8e5a8a9a2a767f584cbe89a878a42363706f939 Regression in a76035e925ff4e6d8676c65cb135c74b993b1039. Thank you to Simon Charette for the review. co-authored-by: Simon Charette <charette.s@gmail.com> 2025-05-23T08:22:36Z Sarah Boyce 42296566+sarahboyce@users.noreply.github.com 2025-05-20T15:12:25Z urn:sha1:1704c49a9b149b66b6a0e67abc8c95293bc35649 Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review. 2025-05-19T08:34:14Z Colleen Dunlap colleendunlap@Colleens-Air.lan 2025-05-15T19:41:59Z urn:sha1:802baf5da5b8d8b44990a8214a43b951e7ab8b39 Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172. Thank you to Antoine Humeau for the report and Simon Charette for the review.