| Age | Commit message (Collapse) | Author |
|
|
|
size in ASGI requests.
The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE
against the declared `Content-Length` header before reading. On the ASGI
path, chunked requests carry no `Content-Length`, so the check evaluated
to 0 and always passed regardless of the actual body size.
This work adds a new check on the actual number of bytes consumed.
Thanks to Superior for the report, and to Jake Howard and Jacob Walls
for reviews.
Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
|
|
When a multipart file part used `Content-Transfer-Encoding: base64` and
the non-whitespace base64 bytes did not align to a multiple of 4 within
a chunk, the parser entered a loop calling `field_stream.read(1-3)` once
per whitespace byte. Each such call fetched the entire internal buffer,
sliced off 1-3 bytes, and pushed the remainder back via unget(), doing
an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace
produced CPU amplification relative to a normal upload of the same size.
The alignment loop now reads `self._chunk_size` bytes at a time, and
accumulates stripped parts in a list joined once at the end.
Thanks to Seokchan Yoon for the report and the fixing patch.
Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
|
|
ModelAdmin.list_editable.
Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
|
|
GenericInlineModelAdmin.
Edit permissions were still checked as part of ordinary form validation,
but because GenericInlineModelAdmin overrides get_formset(), it lacked
InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic
for checking permissions server-side, leaving the add case unaddressed.
This change reimplements the relevant part of InlineModelAdmin.get_formset().
Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart,
Markus Holtermann, and Simon Charette for reviews.
Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
|
|
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart
for reviews.
Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.
|
|
Backport of 123fa3a3f38abdb73055acc9a2cbbe3537f9323a from main.
|
|
between managers and related_names.
Clashes were only detected for self-referential relationships, i.e. ForeignKey("self").
Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011.
Thanks JaeHyuckSa for the thorough review!
Backport of fcf916884d25ed430bd7cedaea2b10035c2aa3b6 from main.
|
|
RemoteUserMiddleware.
Backport of 04bcc9913319e50b376a27c29cf9aa4e7b8247bf from main.
|
|
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 253f552c5809fa096116b601bd842ca4f3504860 from main.
|
|
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF):
https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies
Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main.
|
|
RemoteUserMiddleware under ASGI.
We have a flood of nuisance security reports describing ASGI deployments
using RemoteUserMiddleware without a fronting proxy, which is not
realistic.
Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.
|
|
alogin/alogout().
Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
Backport of a32c7075cf634aee1f4f3deecd27f194097ec0c2 from main.
|
|
Thanks Sarah Boyce for the idea and Tim McCurrach for the review.
Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com>
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 6be668b0cc6524c9900181c5bd8273ef2f256a34 from main.
|
|
Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main.
|
|
This was causing permission errors on private forks, e.g. the one
maintained by the Security Team for staging security patches.
Follow-up to f8665b1a7ff5e98d84f66ad0e958c3f175aa5d8b.
Backport of 455e787b9cc8bd3342f86ddcf8ef4103fd811bb5 from main.
|
|
Thanks James Bligh for the review.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of edd899786851f6285abbc3c272f4f5ec0e48a74c from main.
|
|
Backport of 4fd9e85b6031e7ddf878b280f324da6b98f7b0ed from main.
|
|
Backport of a1188fc76ae4d9ff3b82feacd1ddd7b38b3e6009 from main.
|
|
This comparison wasn't fleshed out, so it was distracting.
Backport of f3bdfd2065373272ebb637785cea2313582a8b8c from main.
|
|
Backport of d9adcfbd5e3ba5859cc0ce6e2e67f533efbc8f9b from main.
|
|
Backport of 8401071c52d19a2bdd987a2dbe79c440f01dfae9 from main.
|
|
verify_release.sh.
This reuses the same download for both artifacts and checks both GPG
signature and minimal correctness in the same script. Docs and script
do_django_release.py were updated.
Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main.
|
|
Fixed the EmailMessage.message() method signature in the docs to
reinforce that the `policy` argument is keyword-only. (The text already
describes it correctly as keyword-only.)
Backport of 4b2edb3418851c09dd839f1a2cba74051fe9d420 from main.
|
|
AddField/AlterField docs.
Backport of 23f49c6b408d9b013e959f91c23813a7c0f6ed64 from main
|
|
These were missed during manual review.
|
|
|
|
Backport of 14889d8cead6af22ef71360f26610711997915d1 from main.
|
|
connection.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of e8ab2bb83fc6d3c0f5d998d1a41ebaebacaa1a28 from main.
|
|
Thanks to Tim Schilling for the review.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of c27d368b92f321e6f91704f554dccbc18df5b075 from main.
|
|
docs/topics/tasks.txt.
Backport of a328c355d9625ecdc8f16b249daebba3c0ac2882 from main.
|
|
Backport of 5b939808220fa879942303f4318276668d11b4d9 from main.
|
|
Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main.
|
|
Backport of 9b1745400b09293253158059e3a8fe407e5cc553 from main.
|
|
|
|
|
|
on file system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
|
|
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
|
|
imported by namespace.
Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
|
|
Follow up to 659bacfe54c2a28eb2e0589c1c721f1a99720ad2.
|
|
Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main.
|
|
Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.
|
|
Backport of 4aefc9ea51cc2d78f43b1dc2aa69732e55d18a56 from main.
|
|
handler.
Before, if no exception occurred, "None Type: None" was logged.
Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
|
|
references from HTML truncation docs.
Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
|
|
https://github.com/psf/black/releases/tag/26.1.0
Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
|
|
Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.
|
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
|
|
BuiltinLookup.as_sql().
For custom lookups subclassing BuiltinLookup and following the advice in the release notes
to return params in a tuple, this change will obviate the need to audit as_sql() in addition to
process_lhs() to be "resilient against either tuples or lists" as described in the release note.
Regression in 8914f4703cf03e2a01683c4ba00f5ae7d3fa449d.
|
|
with deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
|