summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-04-07[6.0.x] Bumped version for 6.0.4 release.6.0.4Jacob Walls
2026-04-07[6.0.x] Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body ↵Natalia
size in ASGI requests. The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews. Backport of 953c238058c0ce387a1a41cb491bfc1875d73ad0 from main.
2026-04-07[6.0.x] Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.Natalia
When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch. Backport of 7e9885f99cee771b51692fadc5592bdbf19641aa from main.
2026-04-07[6.0.x] Fixed CVE-2026-4292 -- Disallowed instance creation via ↵Jacob Walls
ModelAdmin.list_editable. Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews. Backport of 6afe7ce93964f56e33a29d477c269436f9b60cbf from main.
2026-04-07[6.0.x] Fixed CVE-2026-4277 -- Checked add permissions in ↵Jacob Walls
GenericInlineModelAdmin. Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews. Backport of ef8b25dcc06d158683a5623ce406d561638f4073 from main.
2026-04-07[6.0.x] Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.Jacob Walls
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews. Backport of caf90a971f09323775ed0cacf94eadaf39d040e0 from main.
2026-04-03[6.0.x] Refs #36949 -- Removed hardcoded pks in modeladmin tests.Tim Graham
Backport of 123fa3a3f38abdb73055acc9a2cbbe3537f9323a from main.
2026-04-02[6.0.x] Fixed #36973 -- Made fields.E348 check detect further clashes ↵Clifford Gama
between managers and related_names. Clashes were only detected for self-referential relationships, i.e. ForeignKey("self"). Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011. Thanks JaeHyuckSa for the thorough review! Backport of fcf916884d25ed430bd7cedaea2b10035c2aa3b6 from main.
2026-04-02[6.0.x] Refs #36862 -- Reiterated security note on both variants of ↵Jacob Walls
RemoteUserMiddleware. Backport of 04bcc9913319e50b376a27c29cf9aa4e7b8247bf from main.
2026-04-02[6.0.x] Fixed #36949 -- Improved RelatedFieldWidgetWrapper <label>s.David Smith
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 253f552c5809fa096116b601bd842ca4f3504860 from main.
2026-04-02[6.0.x] Added section for respecting maintainer time to the security policy.Natalia
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF): https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies Backport of 90cd510b3b033605907f6521ef98f35d2bd6c3a0 from main.
2026-04-02[6.0.x] Fixed #36862 -- Doc'd the need for a proxy when deploying ↵Jacob Walls
RemoteUserMiddleware under ASGI. We have a flood of nuisance security reports describing ASGI deployments using RemoteUserMiddleware without a fronting proxy, which is not realistic. Backport of 2ee757ee502d5663f932dc5c35175c39af4640ce from main.
2026-04-02[6.0.x] Fixed #37017 -- Fixed setting or clearing of request.user after ↵Jacob Walls
alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be. Backport of a32c7075cf634aee1f4f3deecd27f194097ec0c2 from main.
2026-04-01[6.0.x] Fixed #36799 -- Added a how-to guide for testing pre-releases.VIZZARD-X
Thanks Sarah Boyce for the idea and Tim McCurrach for the review. Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 6be668b0cc6524c9900181c5bd8273ef2f256a34 from main.
2026-03-31[6.0.x] Added stub release notes and release date for 6.0.4, 5.2.13, and 4.2.30.Jacob Walls
Backport of dff1980d61b1129c82757f70117dcea68e69a8c8 from main.
2026-03-30[6.0.x] Skipped check_commit_messages action on forks.Jacob Walls
This was causing permission errors on private forks, e.g. the one maintained by the Security Team for staging security patches. Follow-up to f8665b1a7ff5e98d84f66ad0e958c3f175aa5d8b. Backport of 455e787b9cc8bd3342f86ddcf8ef4103fd811bb5 from main.
2026-03-28[6.0.x] Fixed #29762 -- Doc'd how database routers fetch related objects.VIZZARD-X
Thanks James Bligh for the review. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of edd899786851f6285abbc3c272f4f5ec0e48a74c from main.
2026-03-28[6.0.x] Refs #36526 -- Fixed bulk_update() batching example in docs.Georgios Verigakis
Backport of 4fd9e85b6031e7ddf878b280f324da6b98f7b0ed from main.
2026-03-27[6.0.x] Corrected outdated links to gunicorn documentation.Sebastian Skonieczny
Backport of a1188fc76ae4d9ff3b82feacd1ddd7b38b3e6009 from main.
2026-03-24[6.0.x] Fixed #36999 -- Removed mention of Ruby on Rails from tutorial part 2.Vinay Datta
This comparison wasn't fleshed out, so it was distracting. Backport of f3bdfd2065373272ebb637785cea2313582a8b8c from main.
2026-03-20[6.0.x] Made it clear that unreviewed tickets shouldn't be claimed or started.Jake Howard
Backport of d9adcfbd5e3ba5859cc0ce6e2e67f533efbc8f9b from main.
2026-03-19[6.0.x] Fixed #36904 -- Clarified how to hide form field labels in docs.Amar
Backport of 8401071c52d19a2bdd987a2dbe79c440f01dfae9 from main.
2026-03-16[6.0.x] Combined scripts confirm_release.sh and test_new_version.sh into ↵Natalia
verify_release.sh. This reuses the same download for both artifacts and checks both GPG signature and minimal correctness in the same script. Docs and script do_django_release.py were updated. Backport of 3abf89887993140d28676f26420ee0d46a617f51 from main.
2026-03-16[6.0.x] Corrected signature for EmailMessage.message() in email topics docs.Mike Edmunds
Fixed the EmailMessage.message() method signature in the docs to reinforce that the `policy` argument is keyword-only. (The text already describes it correctly as keyword-only.) Backport of 4b2edb3418851c09dd839f1a2cba74051fe9d420 from main.
2026-03-14[6.0.x] Fixed #35786 -- Removed outdated note about database defaults in ↵Ahmed Nassar
AddField/AlterField docs. Backport of 23f49c6b408d9b013e959f91c23813a7c0f6ed64 from main
2026-03-12[6.0.x] Removed third plural form from .po files for Romance languages.Jacob Walls
These were missed during manual review.
2026-03-12[6.0.x] Updated translations from Transifex.Jacob Walls
2026-03-10[6.0.x] Fixed #36391 -- Doc'd RawSQL usage in docs/topics/db/sql.txt.Amar
Backport of 14889d8cead6af22ef71360f26610711997915d1 from main.
2026-03-09[6.0.x] Fixed #36600 -- Clarified the use cases for dispatch_uid in signal ↵Amar
connection. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of e8ab2bb83fc6d3c0f5d998d1a41ebaebacaa1a28 from main.
2026-03-06[6.0.x] Extended checks and docs for proper commit message format and edition.Jacob Walls
Thanks to Tim Schilling for the review. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of c27d368b92f321e6f91704f554dccbc18df5b075 from main.
2026-03-03[6.0.x] Refs #35859 -- Mentioned django-tasks and external resources on ↵Jake Howard
docs/topics/tasks.txt. Backport of a328c355d9625ecdc8f16b249daebba3c0ac2882 from main.
2026-03-03[6.0.x] Fixed #20775 -- Clarified that SQL for text lookups varies per database.Lakshya
Backport of 5b939808220fa879942303f4318276668d11b4d9 from main.
2026-03-03[6.0.x] Added CVE-2026-25673 and CVE-2026-25674 to security archive.Natalia
Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main.
2026-03-03[6.0.x] Added stub release notes for 6.0.4.Natalia
Backport of 9b1745400b09293253158059e3a8fe407e5cc553 from main.
2026-03-03[6.0.x] Post-release version bump.Natalia
2026-03-03[6.0.x] Bumped version for 6.0.3 release.6.0.3Natalia
2026-03-03[6.0.x] Fixed CVE-2026-25674 -- Prevented potentially incorrect permissions ↵Natalia
on file system object creation. This fix introduces `safe_makedirs()` in the `os` utils as a safer alternative to `os.makedirs()` that avoids umask-related race conditions in multi-threaded environments. This is a workaround for https://github.com/python/cpython/issues/86533 and the solution is based on the fix being proposed for CPython. Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com> Co-authored-by: Zackery Spytz <zspytz@gmail.com> Refs CVE-2020-24583 and #31921. Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and Shai Berger for reviews. Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
2026-03-03[6.0.x] Fixed CVE-2026-25673 -- Simplified URLField scheme detection.Natalia
This simplicaftion mitigates a potential DoS in URLField on Windows. The usage of `urlsplit()` in `URLField.to_python()` was replaced with `str.partition(":")` for URL scheme detection. On Windows, `urlsplit()` performs Unicode normalization which is slow for certain characters, making `URLField` vulnerable to DoS via specially crafted POST payloads. Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger for the review. Refs #36923. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com> Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
2026-03-02[6.0.x] Fixed #36961 -- Fixed TypeError in deprecation warnings if Django is ↵Jacob Walls
imported by namespace. Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
2026-03-02[6.0.x] Ensured spelling checks pass OK.Natalia
Follow up to 659bacfe54c2a28eb2e0589c1c721f1a99720ad2.
2026-03-02[6.0.x] Aligned docs checks between GitHub Actions and local development.Natalia
Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main.
2026-02-26[6.0.x] Adjusted default DoS severity level in Security Policy.Natalia
Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.
2026-02-25[6.0.x] Fixed #36848 -- Mentioned BadRequest exception in docs/ref/views.txt.LincolnPuzey
Backport of 4aefc9ea51cc2d78f43b1dc2aa69732e55d18a56 from main.
2026-02-25[6.0.x] Fixed #36951 -- Removed empty exc_info from log_task_finished signal ↵Elias Hernandis
handler. Before, if no exception occurred, "None Type: None" was logged. Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
2026-02-25[6.0.x] Fixed #36944 -- Removed MAX_LENGTH_HTML and related 5M chars limit ↵Natalia
references from HTML truncation docs. Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
2026-02-24[6.0.x] Applied Black's 2026 stable style.Mariusz Felisiak
https://github.com/psf/black/releases/tag/26.1.0 Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
2026-02-24[6.0.x] Added stub release notes and release date for 6.0.3, 5.2.12, and 4.2.29.Natalia
Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.
2026-02-20[6.0.x] Fixed #36920 -- Fixed alignment of fieldset legends in wide admin forms.usman
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95. Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
2026-02-20[6.0.x] Fixed #36934, Refs #35972 -- Coped with params in a tuple in ↵Jacob Walls
BuiltinLookup.as_sql(). For custom lookups subclassing BuiltinLookup and following the advice in the release notes to return params in a tuple, this change will obviate the need to audit as_sql() in addition to process_lhs() to be "resilient against either tuples or lists" as described in the release note. Regression in 8914f4703cf03e2a01683c4ba00f5ae7d3fa449d.
2026-02-10[6.0.x] Fixed #36903 -- Fixed further NameErrors when inspecting functions ↵93578237
with deferred annotations. Provide a wrapper for safe introspection of user functions on Python 3.14+. Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04. Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.