summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-06-04[5.2.x] Bumped version for 5.2.2 release.5.2.2Natalia
2025-06-04[5.2.x] Fixed CVE-2025-48432 -- Escaped formatting arguments in ↵Natalia
`log_response()`. Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net> Backport of a07ebec5591e233d8bbb38b7d63f35c5479eef0e from main.
2025-06-04[5.2.x] Fixed #36432 -- Fixed a prefetch_related crash on related target ↵Simon Charette
subclass queryset. Regression in 626d77e52a3f247358514bcf51c761283968099c. Refs #36116. Thanks Cornelis Poppema for the excellent report. Backport of 08187c94ed02c45ad40a32244dedeaa7ac71ca87 from main.
2025-06-03[5.2.x] Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media ↵Jake Howard
type parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews. Backport of c075508b4de8edf9db553b409f8a8ed2f26ecead from main.
2025-06-03[5.2.x] Fixed #36416 -- Made QuerySet.in_bulk() account for composite pks in ↵Jacob Walls
id_list. Backport of 26313bc21932d0d3af278ab387549d63b1f64575 from main.
2025-06-02[5.2.x] Fixed #36423 -- Prevented filter_horizontal buttons from ↵Blayze
intercepting form submission. In the admin's filter_horizontal widget, optional action buttons like "Choose all", "Remove all", etc. were changed from `<a>` to `<button>` elements in #34619, but without specifying `type="button"`. As a result, when pressing Enter while focused on a form input, these buttons could be triggered and intercept form submission. Explicitly set `type="button"` on these control buttons to prevent them from acting as submit buttons. Thanks Antoliny Lee for the quick triage and review. Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a. Backport of 90429625a85f1f77dfea200c91bd2dabab57974f from main.
2025-05-28[5.2.x] Added stub release notes and release date for 5.2.2, 5.1.10, and 4.2.22.Natalia
Backport of 1a744343999c9646912cee76ba0a2fa6ef5e6240 from main.
2025-05-26[5.2.x] Fixed #36402, Refs #35980 -- Updated built package name in reusable ↵Jason Judkins
apps tutorial for PEP 625. Backport of 1307b8a1cb05762147736d0f347792b33f645390 from main.
2025-05-23[5.2.x] Fixed #36405 -- Fixed OrderableAggMixin.order_by using OuterRef.Adam Johnson
co-authored-by: Simon Charette <charette.s@gmail.com> Backport of c2615a050036eda0bca090c707191076220cee9f from main.
2025-05-23[5.2.x] Fixed #36404 -- Fixed Aggregate.filter using OuterRef.Adam Johnson
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039. Thank you to Simon Charette for the review. co-authored-by: Simon Charette <charette.s@gmail.com> Backport of b8e5a8a9a2a767f584cbe89a878a42363706f939 from main.
2025-05-23[5.2.x] Fixed typo in docs/ref/forms/renderers.txt.Adam Zapletal
Backport of d2732c30af28381f5a2ff1b08f754eeb7a6dfeca from main.
2025-05-23[5.2.x] Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing ↵Sarah Boyce
aprocess_request(). Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review. Backport of 1704c49a9b149b66b6a0e67abc8c95293bc35649 from main.
2025-05-22[5.2.x] Added helpers in csrf_tests and logging_tests to assert logs from ↵Natalia
`log_response()`. Backport of ad6f99889838ccc2c30b3c02ed3868c9b565e81b from main.
2025-05-22[5.2.x] Refs #26688 -- Added tests for `log_response()` internal helper.Natalia
Backport of 897046815944cc9a2da7ed9e8082f45ffe8110e3 from main.
2025-05-19[5.2.x] Fixed #36388 -- Made QuerySet.union() return self when called with ↵Colleen Dunlap
no arguments. Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172. Thank you to Antoine Humeau for the report and Simon Charette for the review. Backport of 802baf5da5b8d8b44990a8214a43b951e7ab8b39 from main.
2025-05-16[5.2.x] Fixed #36392 -- Raised ValueError when subquery referencing ↵Jacob Walls
composite pk selects too many columns. Backport of 994dc6d8a1bae717baa236b65e11cf91ce181c53 from main.
2025-05-15[5.2.x] Added missing import in docs/ref/contrib/admin/index.txt.antoliny0919
Backport of a79c411147800a60169ea943545686cd9261cdc5 from main.
2025-05-15[5.2.x] Fixed incorrect spacing in docs/ref/contrib/postgres/fields.txt.Jacob Walls
Backport of e52100a2508ecbb105926128ce80f4ef04bb3c95 from main.
2025-05-13[5.2.x] Updated guidance to propose new feature ideas in contributing docs.Lily Foote
These changes include: * Clarification of the new feature proposal and evaluation process. * Reodering "points to consider" into reporting bugs section, since these are mostly trac-specific. * Narrowing the guide on user interface bugs and features to just bugs. * Updating documentation for Someday/Maybe triage stage. Co-authored-by: Tim Schilling <schilling711@gmail.com> Co-authored-by: Sarah Boyce <42296566+sarahboyce@users.noreply.github.com> Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 188799e67c2c497419f448359775930c866fe28d from main.
2025-05-12[5.2.x] Fixed #36373 -- Fixed select_related() crash on foreign object for a ↵Simon Charette
composite pk. Thanks Jacob Walls for the report and Sarah for the in-depth review. Backport of 8be0c0d6901669661fca578f474cd51cd284d35a from main.
2025-05-09[5.2.x] Refs #35980 -- Added release note about changes in release artifacts ↵Natalia
filenames. Backport of 42ab99309d347f617d60751c2e8d627fb2963049 from main.
2025-05-09[5.2.x] Removed "Expected" from release date for 5.2.1, 5.1.9, and 4.2.21.Natalia
Backport of c86156378db09e68db3a9ae1c108f661a67e3abe from main.
2025-05-07[5.2.x] Cleaned up CVE-2025-32873 security archive description.Natalia
Backport of 37f2a77c729ccb71059c8e66c49b07499d2edf60 from main.
2025-05-07[5.2.x] Added CVE-2025-32873 to security archive.Natalia
Backport of fdabda4e05587347aeb3382a442d7e77c1a0c3e5 from main.
2025-05-07[5.2.x] Added stub release notes for 5.2.2.Natalia
Backport of d8397bf6cd01460a8f8a1ec5fb39b23ac780da7a from main.
2025-05-06[5.2.x] Post-release version bump.Natalia
2025-05-06[5.2.x] Bumped version for 5.2.1 release.5.2.1Natalia
2025-05-06[5.2.x] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags().Sarah Boyce
Thanks to Elias Myllymäki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b519799d69f2aba70b9d25abe2e70d03e0 from main.
2025-05-06[5.2.x] Simplified artifact building steps in ↵Natalia
docs/internals/howto-release-django.txt. With the recent merge of artifact build updates from https://github.com/django/django/pull/19436, there is no need to have different build instructions for 4.2. Backport of f7d97dd11819be8996798a7197c5695a317334a0 from main.
2025-05-06[5.2.x] Refs #36052, #32234 -- Fixed inspectdb tests for CompositePrimaryKey ↵Mariusz Felisiak
on Oracle. Tests regression in 4c75858135589f3a00e32eb4d476074536371a32. Backport of dd133054cb98f77577c06d7ef1f2391a865784bc from main
2025-05-02[5.2.x] Fixed #17461 -- Doc'd the presumed order of foreign keys on the ↵Clifford Gama
intermediary model of a self-referential m2m. Thanks Giannis Terzopoulos and Sarah Boyce for the reviews. Backport of 9d93e35c207a001de1aa9ca9165bdec824da9021 from main.
2025-04-30[5.2.x] Made cosmetic edits and added upcoming security release to release ↵Natalia
notes. Backport of 0f5dd0dff3049189a3fe71a62670b746543335d5 from main.
2025-04-30[5.2.x] Fixed #36357 -- Skipped unique_together in inspectdb output for ↵Baptiste Mispelon
composite primary keys. Thanks to Baptiste Mispelon for the report and quick fix, and to Simon Charette and Jacob Walls for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 66f9eb0ff1e7147406318c5ba609729678e4e6f6 from main.
2025-04-30[5.2.x] Fixed #36358 -- Corrected introspection of composite primary keys on ↵Simon Charette
SQLite. Previously, any first field of a composite primary key with type `INTEGER` was incorrectly introspected as an `AutoField` due to SQLite treating `INTEGER PRIMARY KEY` as an alias for the `ROWID`. This change ensures that integer fields in composite PKs are not mistaken for auto-incrementing fields. Thanks Jacob Walls and Sarah Boyce for the reviews. Backport of 07100db6f46255ec6ef70b860495f977473684d6 from main.
2025-04-30[5.2.x] Refs #36052, #32234 -- Removed ↵Simon Charette
create_test_table_with_composite_primary_key flag in favor of using CompositePrimaryKey. Now that Django properly supports creating models with composite primary keys, the tests should use a `CompositePrimaryKey` field instead of a feature flag to inline backend specific SQL for creating a composite PK. Specifcially, the inspectdb's test_composite_primary_key was adjusted to use schema editor instead of per-backend raw SQL. Backport of 4c75858135589f3a00e32eb4d476074536371a32 from main.
2025-04-30[5.2.x] Fixed #36360 -- Fixed QuerySet.update() crash when referring ↵Simon Charette
annotations through values(). The issue was only manifesting itself when also filtering againt a related model as that forces the usage of a subquery because SQLUpdateCompiler doesn't support the UPDATE FROM syntax yet. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Refs #28900. Thanks Gav O'Connor for the detailed report. Backport of 8ef4e0bd423ac3764004c73c3d1098e7a51a2945 from main.
2025-04-29[5.2.x] Used addCleanup() instead of try-finally blocks in inspectdb tests.Baptiste Mispelon
Backport of 2722cb61ccae84f593e6d2c28814e3c628743994 from main.
2025-04-27[5.2.x] Fixed #35931 -- Documented fields and methods of the FlatPage model.koresi
Co-authored-by: Clifford Gama <53076065+cliff688@users.noreply.github.com> Backport of 0ee06c04e0256094270db3ffe8b5dafa6a8457a3 from main.
2025-04-27[5.2.x] Fixed #36335 -- Fixed typo in docs/topics/db/managers.txt.dbogar89
Backport of 7b394b9988b986429a4da4e60416e0f08ff649e5 from main
2025-04-24[5.2.x] Fixed #36309 -- Made email alternatives and attachments pickleable.nessita
Regression in aba0e541caaa086f183197eaaca0ac20a730bbe4 and in d5bebc1c26d4c0ec9eaa057aefc5b38649c0ba3b. Thanks Florent Messa for the report, and Jake Howard and Claude Paroz for the review. Backport of 0596263c3136bc26cffa670e5322bd0aa56c4d34 from main.
2025-04-23[5.2.x] Refs #36341 -- Added release notes for 5.1.9 and 4.2.21 for fix in ↵nessita
wordwrap template filter. Revision 1e9db35836d42a3c72f3d1015c2f302eb6fee046 fixed a regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b, which also needs to be backported to the stable branches in extended support (5.1.x and 4.2.x). Backport of c86242d61ff81bddbead115c458c1eb532d43b43 from main.
2025-04-23[5.2.x] Fixed #36341 -- Preserved whitespaces in wordwrap template filter.Matti Pohjanvirta
Regression in 55d89e25f4115c5674cdd9b9bcba2bb2bb6d820b. This work improves the django.utils.text.wrap() function to ensure that empty lines and lines with whitespace only are kept instead of being dropped. Thanks Matti Pohjanvirta for the report and fix. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 1e9db35836d42a3c72f3d1015c2f302eb6fee046 from main.
2025-04-22[5.2.x] Fixed #36331 -- Reverted "Fixed #36055 -- Prevented overlap of ↵antoliny0919
object-tools buttons and page header in the admin." This reverts commits b1324a680add78de24c763911d0eefa19b9263bc and 02a5cbfe76382da2a0414df17017185be5bd47f9. The former caused a regression in admin sites that relied on the `object-tools` block being inside the `content` block. Thank you to Fabian Braun for the report. Backport of 1bc805e23b73a580b82a1d416ab0fb59a1073047 from main.
2025-04-17[5.2.x] Fixed #36314 -- Fixed MinimumLengthValidator error message translation.Ahmed Nassar
Regression in ec7d69035a408b357f1803ca05a7c991cc358cfa. Thank you Gabriel Trouvé for the report and Claude Paroz for the review. Backport of d469db978ea6a705549b9519313d9adc198e4232 from main.
2025-04-15[5.2.x] Fixed #36269 -- Documented how to test callable storage in FileField.Ahmed Nassar
Backport of 8bca33f68acc4fc881146c4b9cf4101a8bfab437 from main.
2025-04-15[5.2.x] Fixed #35993 -- Documented gettext f-string support limitations.Ahmed Nassar
Thank you to Claude Paroz and Athena Wolfskämpf for the review. Backport of 2c2f09055579cc6068cae6c6fd3135011d6df4f1 from main.
2025-04-12[5.2.x] Fixed #36320 -- Ignored "duplicated_toc_entry" for ePub docs build.Baptiste Mispelon
Backport of ac16d2876da296d8e50450bf7d776f92d1e16b0d from main
2025-04-11[5.2.x] Fixed #36288 -- Addressed improper handling of duplicates in ↵Simon Charette
values_list(). Now that selected aliases are stored in sql.Query.selected: dict[str, Any] the values_list() method must ensures that duplicate field name references are assigned unique aliases. Refs #28900. Regression in 65ad4ade74dc9208b9d686a451cd6045df0c9c3a. Thanks Claude for the report. Backport of 21f8be76d43aa1ee5ae41c1e0a428cfea1f231c1 from main.
2025-04-08[5.2.x] Clarified `url` and `name` arguments in flatpages URLconf ref docs.Clifford Gama
Backport of a2f7b3a6a04c8c46c38040c9d9d5bdc6298bd714 from main.
2025-04-08[5.2.x] Added missing closing parenthesis in docs/ref/contrib/flatpages.txt.Natalia
Backport of f9f0a183273724046710efbb3e6646d9fe3fd08e from main.