| Age | Commit message (Collapse) | Author |
|
|
|
email sending fails.
On successful submission of a password reset request, an email is sent
to the accounts known to the system. If sending this email fails (due to
email backend misconfiguration, service provider outage, network issues,
etc.), an attacker might exploit this by detecting which password reset
requests succeed and which ones generate a 500 error response.
Thanks to Thibaut Spriet for the report, and to Mariusz Felisiak, Adam
Johnson, and Sarah Boyce for the reviews.
|
|
urlizetrunc template filters.
Thanks MProgrammer (https://hackerone.com/mprogrammer) for the report.
|
|
fieldsets.
Regression in 01ed59f753139afb514170ee7f7384c155ecbc2d.
Thank you to Fábio Domingues and Marijke Luttekes for the report,
and thank you to Natalia Bidart for the review.
Backport of fd1dd767783b5a7ec1a594fcc5885e7e4178dd26 from main.
|
|
DatabaseWrapper methods.
Following the addition of PostgreSQL connection pool support in
Refs #33497, the methods for configuring the database role and timezone
were moved to module-level functions. This change prevented subclasses
of DatabaseWrapper from overriding these methods as needed, for example,
when creating wrappers for other PostgreSQL-based backends.
Thank you Christian Hardenberg for the report and to
Florian Apolloner and Natalia Bidart for the review.
Regression in fad334e1a9b54ea1acb8cce02a25934c5acfe99f.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 7380ac57340653854bc2cfe0ed80298cdac6061d from main.
|
|
Backport of 26a67943ac5c2f196621220b24f4314d84471d07 from main.
|
|
Backport of 920efe503f8a1b16a497a792075c987080f3280a from main.
|
|
adjusted test suite accordingly.
Over the years we've had multiple instances of hit and misses when
emitting warnings: either setting the wrong stacklevel or not setting
it at all.
This work adds assertions for the existing warnings that were declaring
the correct stacklevel, but were lacking tests for it.
Backport of 57307bbc7d88927989cf5b314f16d6e13ade04e6 from main.
|
|
FieldCacheMixin.get_cache_name().
Backport of 39abd56a7fb1e2f735040df0fdfc08f57d91a49b from main.
|
|
FileSystemStorage.OS_OPEN_FLAGS.
Backport of 47f18a722624527cc72eef44cfc9d1e07ea4b4e0 from main.
|
|
Model.save()/asave().
Backport of 52ed2b645e1dd8c9a874cfd21c4c9f2500032626 from main.
|
|
Backport of 07a4d23283586bc4578eb9c82a7ad14af3724057 from main.
|
|
Backport of fed11ba4617a5fa151bbabb91eb27ec01dd7c942 from main.
|
|
Co-authored-by: Simon Charette <charette.s@gmail.com>
Backport of 2b71b2c8dcd40f2604310bb3914077320035b399 from main.
|
|
release.
Backport of b941de340daed4ce88f04a8012b9dba00ccb1359 from main.
|
|
Backport of 67efd42517af0faf24872df4295b39e98ce826af from main.
|
|
Backport of c6d1f98d2685f34e009e0fffdcff4ad275e55879 from main.
|
|
Backport of 7adb6dd98d50a238f3eca8c15b16b5aec12575fd from main.
|
|
BaseUserCreationForm.
Refs #34429: Following the implementation allowing the setting of
unusable passwords via the admin site, the `BaseUserCreationForm` and
`UserCreationForm` were extended to include a new field for choosing
whether password-based authentication for the new user should be enabled
or disabled at creation time.
Given that these forms are designed to be extended when implementing
custom user models, this branch ensures that this new field is moved to
a new, admin-dedicated, user creation form `AdminUserCreationForm`.
Regression in e626716c28b6286f8cf0f8174077f3d2244f3eb3.
Thanks Simon Willison for the report, Fabian Braun and Sarah Boyce for
the review.
Backport of 0ebed5fa95f53b87383901bbd9341ef3c974344f from main.
|
|
custom User model.
This work also allows to subclass BaseUserCreationFormTest to reuse the
tests and assertions for testing forms that extend BaseUserCreationForm,
which is now used for UserCreationFormTest, increasing its coverage.
Backport of b60fd8722f305ec29c87f34d3fea262e56394ebd from main.
|
|
This also caused un-ordered sliced prefetches to crash as they rely on Window.
Regression in e16d0c176e9b89628cdec5e58c418378c4a2436a that made OrderByList
piggy-back ExpressionList without porting the empty handling that the latter
provided.
Supporting explicit empty ordering on Window functions and slicing is arguably
a foot-gun design due to how backends will return undeterministic results but
this is a problem that requires a larger discussion.
Refs #35064.
Thanks Andrew Backer for the report and Mariusz for the review.
Backport of 602fe961e6834d665f2359087a1272e9f9806b71 from main.
|
|
Backport of 5ae99226669bc516ecb0ed17066ec11a898fddab from main.
|
|
The system check "admin.E410" was already checking for this, but the
requirement was not listed in docs/ref/contrib/admin/index.txt.
Backport of f8ef4579ea710f93ec7edc93c6f3f216bd55d6be from main.
|
|
Backport of cec62fb99e8ff63f30c7871a048ab15081142668 from main.
|
|
co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 49815f70e4508ae21135f725da177fc2935de32c from main.
|
|
PyPy.
Thanks Michał Górny for the report.
Backport of 7fb15ad5bcae05324ee8913e4b2c6c982e8f2de0 from main.
|
|
Backport of 790f0f8868b0cde9a9bec1f0621efa53b00c87df from main.
|
|
|
|
|
|
Backport of 8ad6dc636bd29825937e02b5b689fb278f456f63 from main.
|
|
translation.
|
|
|
|
CVE-2024-42005 to security archive.
Backport of fdc638bf4a35b5497d0b3b4faedaf552da792f99 from main.
|
|
attacks against JSON fields.
Thanks Eyal (eyalgabay) for the report.
|
|
django.utils.html.urlize() and AdminURLFieldWidget.
Thanks Seokchan Yoon for the report.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
|
|
urlizetrunc template filters.
Thanks to MProgrammer for the report.
|
|
floatformat.
Thanks Elias Myllymäki for the report.
Co-authored-by: Shai Berger <shai@platonix.com>
|
|
Backport of 8deb6bb1fc427762d56646bf7306cbd11fb5bb68 from main.
|
|
Backport of 509763c79952cde02d9f5b584af4278bdbed77b2 from main.
|
|
_get_field_value_map() and renamed to _get_field_expression_map().
Backport of 91a038754bb516d29cb79f0fed4025436b5c5346 from main.
|
|
Backport of 304d25667433a59409e334a93acaaa9201840508 from main.
|
|
ModelAdmin.date_hierarchy.
Backport of 7f8d839722b72aeb3ec5a4278ae57c18283acacd from main.
|
|
Backport of 90adba85b29230acfe354bffd82bc0d3a4d63c9d from main.
|
|
Backport of fb6050e7845fe1a5fa131708be65ad89a31a2633 from main.
|
|
to improve accessibility of headings.
Backport of 6e66c77089fa5498066d2aa593979e4f76f5bedc from main.
|
|
rows on Oracle 23c."
This reverts commit 175b04942afaff978013db61495f3b39ea12989b due to a crash when Oracle > 23.3.
Backport of 5424151f96252e1289e9a6f7eb842cd1dc87850a from main.
|
|
reference containing "__".
Regression in b0ad41198b3e333f57351e3fce5a1fb47f23f376.
Refs #34013. The initial logic did not consider that annotation aliases
can include lookup or transform separators.
Thanks Gert Van Gool for the report and Mariusz Felisiak for the review.
Backport of a16f13a8661297eda12c4177bb01fa2e5b5ccc56 from main.
|
|
Backport of 3f880890699d4412cf23b59dba425111f62afb3a from main.
|
|
Backport of b6ad8b687adf011245270df17a38c1a42792e3d7 from main.
|
|
filter tests.
Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com>
Backport of 1b277b45cc4059760072095f3bd6e8a4e4c4d406 from main.
|