summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-06-09Refs #34378, #36143, #36416 -- Fixed isolation of ↵Jacob Walls
LookupTests.test_in_bulk_preserve_ordering_with_batch_size(). `max_query_params` is a property, so it must be patched on the class.
2025-06-09Fixed #36446 -- Restored "q" in internal MediaType.params property.Natalia
The "q" key was removed while addressing ticket #36411. Despite `MediaType.params` is undocumented and considered internal, it was used in third-party projects (Zulip reported breakage), so this work restored the `q` key in `params`. Thanks Anders Kaseorg for the report. Regression in c075508b4de8edf9db553b409f8a8ed2f26ecead.
2025-06-09Refs #10785 -- Added missing __hash__() method to custom pk test model.Jacob Walls
2025-06-06Fixed #36419 -- Ensured for_save was propagated when resolving expressions.Clifford Gama
The for_save flag wasn't properly propagated when resolving expressions, which prevented get_db_prep_save() from being called in some cases. This affected fields like JSONField where None would be saved as JSON null instead of SQL NULL. Regression in 00c690efbc0b10f67924687f24a7b30397bf47d9. Thanks to David Sanders and Simon Charette for reviews. Co-authored-by: Adam Johnson <me@adamj.eu>
2025-06-06Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.Jake Howard
Migrated remaining response-related logging to use the `log_response()` helper to avoid potential log injection, to ensure untrusted values like request paths are safely escaped. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-06-06Refs CVE-2025-48432 -- Made SuspiciousOperation logging use log_response() ↵Natalia
for consistency.
2025-06-06Refactored logging_tests to reuse assertions for log records.Natalia
2025-06-06Updated translations from Transifex.Sarah Boyce
Forwardport of 5901cfe591139b4389171ba738be81e8f4d5cfc9 from stable/5.2.x.
2025-06-05Added validation to BaseSpatialFeatures.has_<Func>_function.Tim Graham
2025-06-05Fixed #36435 -- Made CaptureQueriesContext restore reset_queries conditionally.Adam Johnson
2025-06-05Refs #36435 -- Tidied tests for CaptureQueriesContext and assertNumQueries.Adam Johnson
Avoided repeatedly templating the URL and hoisted Person creation to setUpTestData in AssertNumQueriesContextManagerTests to repeat the same pattern as in CaptureQueriesContextManagerTests.
2025-06-05Fixed #36407 -- Ensured default value is cast in Case expressions used in ↵ontowhee
ORDER BY clause. Thanks to deceze for the report. Thanks to Sarah Boyce for the test. Thanks to Simon Charette for the investigation and review.
2025-06-04Added CVE-2025-48432 to security archive.Natalia
2025-06-04Added stub release notes for 5.2.3.Natalia
2025-06-04Fixed CVE-2025-48432 -- Escaped formatting arguments in `log_response()`.Natalia
Suitably crafted requests containing a CRLF sequence in the request path may have allowed log injection, potentially corrupting log files, obscuring other attacks, misleading log post-processing tools, or forging log entries. To mitigate this, all positional formatting arguments passed to the logger are now escaped using "unicode_escape" encoding. Thanks to Seokchan Yoon (https://ch4n3.kr/) for the report. Co-authored-by: Carlton Gibson <carlton@noumenal.es> Co-authored-by: Jake Howard <git@theorangeone.net>
2025-06-04Fixed #36432 -- Fixed a prefetch_related crash on related target subclass ↵Simon Charette
queryset. Regression in 626d77e52a3f247358514bcf51c761283968099c. Refs #36116. Thanks Cornelis Poppema for the excellent report.
2025-06-03Fixed #36411 -- Made HttpRequest.get_preferred_type() consider media type ↵Jake Howard
parameters. HttpRequest.get_preferred_type() did not account for parameters in Accept header media types (e.g., "text/vcard; version=3.0"). This caused incorrect content negotiation when multiple types differed only by parameters, reducing specificity as per RFC 7231 section 5.3.2 (https://datatracker.ietf.org/doc/html/rfc7231.html#section-5.3.2). This fix updates get_preferred_type() to treat media types with parameters as distinct, allowing more precise and standards-compliant matching. Thanks to magicfelix for the report, and to David Sanders and Sarah Boyce for the reviews.
2025-06-03Fixed #36416 -- Made QuerySet.in_bulk() account for composite pks in id_list.Jacob Walls
2025-06-03Fixed #36060 -- Prevented IntegrityError in bulk_create() with ↵myoungjinGo-BE
order_with_respect_to.
2025-06-02Fixed #36423 -- Prevented filter_horizontal buttons from intercepting form ↵Blayze
submission. In the admin's filter_horizontal widget, optional action buttons like "Choose all", "Remove all", etc. were changed from `<a>` to `<button>` elements in #34619, but without specifying `type="button"`. As a result, when pressing Enter while focused on a form input, these buttons could be triggered and intercept form submission. Explicitly set `type="button"` on these control buttons to prevent them from acting as submit buttons. Thanks Antoliny Lee for the quick triage and review. Regression in 857b1048d53ebf5fc5581c110e85c212b81ca83a.
2025-05-28Added stub release notes and release date for 5.2.2, 5.1.10, and 4.2.22.Natalia
2025-05-27Removed redundant redefinition of variable in tests/test_utils/tests.py.Clifford Gama
2025-05-27Removed unreachable check for None in TruncBase.convert_value().Tim Graham
2025-05-26Fixed #36402, Refs #35980 -- Updated built package name in reusable apps ↵Jason Judkins
tutorial for PEP 625.
2025-05-23Fixed flakiness in ↵Nick Pope
file_storage.tests.CustomStorageTests.test_file_get_accessed_time. Two separate calls to look up access time can result in sub-second differences which cause the test to fail. Also made the equivalent tests for ctime and mtime have the same changes to ensure that they won't flake in the same way in future.
2025-05-23Fixed #36405 -- Fixed Aggregate.order_by using OuterRef.Adam Johnson
co-authored-by: Simon Charette <charette.s@gmail.com>
2025-05-23Fixed #36404 -- Fixed Aggregate.filter using OuterRef.Adam Johnson
Regression in a76035e925ff4e6d8676c65cb135c74b993b1039. Thank you to Simon Charette for the review. co-authored-by: Simon Charette <charette.s@gmail.com>
2025-05-23Fixed typo in docs/ref/forms/renderers.txt.Adam Zapletal
2025-05-23Refs #35444 -- Adjusted multi-args distinct aggregate test ordering ↵Simon Charette
expectations. Unless an explicit order_by is specified for the test the ordering of the aggregation results is undefined.
2025-05-23Fixed #36390 -- Deprecated RemoteUserMiddleware subclasses missing ↵Sarah Boyce
aprocess_request(). Regression in 50f89ae850f6b4e35819fe725a08c7e579bfd099. Thank you to shamoon for the report and Natalia Bidart for the review.
2025-05-22Added helpers in csrf_tests and logging_tests to assert logs from ↵Natalia
`log_response()`.
2025-05-22Refs #26688 -- Added tests for `log_response()` internal helper.Natalia
2025-05-20Refs #35829 -- Made cosmetic edits to ↵nessita
django/contrib/admin/static/admin/img/README.md.
2025-05-20Fixed #34262 -- Added support for AnyValue for SQLite, MySQL, Oracle, and ↵ontowhee
Postgresql 16+. Thanks Simon Charette for the guidance and review. Thanks Tim Schilling for the documentation review. Thanks David Wobrock for investigation and solution proposals.
2025-05-19Fixed typo in docs/releases/6.0.txt.Jacob Walls
2025-05-19Fixed #36388 -- Made QuerySet.union() return self when called with no arguments.Colleen Dunlap
Regression in 9cb8baa0c4fa2c10789c5c8b65f4465932d4d172. Thank you to Antoine Humeau for the report and Simon Charette for the review.
2025-05-16Fixed #36348 -- Fixed handling multiple nested url()s in ↵Samuel Cormier-Iijima
ManifestStaticFilesStorage. Signed-off-by: Samuel Cormier-Iijima <samuel@cormier-iijima.com>
2025-05-16Fixed #36392 -- Raised ValueError when subquery referencing composite pk ↵Jacob Walls
selects too many columns.
2025-05-16Fixed #33312 -- Raised explicit exception when copying deferred model instances.Simon Charette
Previously save() would crash with an attempted forced update message, and both save(force_insert=True) and bulk_create() would crash with DoesNotExist errors trying to retrieve rows with an empty primary key (id IS NULL). Implementing deferred field model instance copying might be doable in certain cases (e.g. when all the deferred fields are db generated) but that's not trivial to implement in a backward compatible way. Thanks Adam Sołtysik for the report and test and Clifford for the review.
2025-05-15Refs #35844 -- Skipped selenium and geoip2 requirement in Windows for Python ↵Mariusz Felisiak
3.14+. Follow up to d6925f0d6beb3c08ae24bdb8fd83ddb13d1756e4.
2025-05-15Refs #34488 -- Made test files path resolution independent of current ↵Tim Graham
working directory in ClearableFileInput selenium tests.
2025-05-15Added missing import in docs/ref/contrib/admin/index.txt.antoliny0919
2025-05-15Fixed incorrect spacing in docs/ref/contrib/postgres/fields.txt.Jacob Walls
2025-05-15Fixed #35829 -- Updated admin icons using Font Awesome Free version 6.7.2.Pablo Bengoechea
Co-authored-by: Stefan <96178532+stefan6419846@users.noreply.github.com>
2025-05-14Refs #35844 -- Skipped argon2-cffi requirement in Windows for Python 3.14+.nessita
2025-05-14Fixed #35852 -- Fixed intcomma locale-aware formatting of string number ↵Timothy McCurrach
representations.
2025-05-14Fixed #35507 -- Improved accessibility of search and filter elements in the ↵antoliny0919
admin changelist.
2025-05-14Fixed #36273 -- Moved Index system checks from Model to Index.check().Tim Graham
2025-05-14Fixed #36085 -- Added JSONField support for negative array indexing on SQLite.savanto
2025-05-14Refs #36085 -- Moved compile_json_path to BaseDatabaseOperations.hesham942