summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-04-11Refs #36953 -- Moved non-backend-dependent BaseEmailBackendTests.Mike Edmunds
Relocated BaseEmailBackendTests that are _not_ dependent on the email backend. - In general, moved test cases to EmailMessageTests or SendMailTests as appropriate, and changed them to work with the testing outbox. - Replaced BaseEmailBackendTests.test_send_verbose_name() with EmailMessageTests.test_unicode_display_name_in_from_email(). (EmailMessageTests.test_address_header_handling() also partly covers the behavior, as well as Python's own message serialization tests.) - Removed BaseEmailBackendTests.test_message_cc_header(), which was already covered by EmailMessageTests.test_cc*() (and Python's own message serialization tests). - Replaced BaseEmailBackendTests.test_idn_send() with EmailMessageTests.test_idn_addresses() to cover from_email and cc. (EmailMessageTests.test_address_header_handling() already covered to.) - Removed BaseEmailBackendTests.test_recipient_without_domain(), which was partly covered by EmailMessageTests.test_localpart_only_address(). Updated the latter to cover a localpart-only from_email. - Updated docstrings and comments to clarify a few tests that _do_ depend on the email backend.
2026-04-11Refs #36953 -- Split apart catchall MailTests.Mike Edmunds
Replaced large MailTests class with smaller classes focused on specific django.core.mail APIs: - EmailMessageTests: covering EmailMessage and EmailMultiAlternatives classes (the bulk of the former MailTests cases). - SendMailTests, SendMassMailTests, MailAdminsAndManagersTests: covering the function-based mail APIs. - GetConnectionTests: covering get_connection(). - DeprecatedInternalsTests: covering deprecated internal methods used in deprecated functionality. - DummyBackendTests: covering the dummy EmailBackend. In the process, moved the two cases from MailTimeZoneTests into the new EmailMessageTests, as they related to EmailMessage Date headers.
2026-04-11Refs #36953 -- Split compound mail tests.Mike Edmunds
Broke apart independent cases in mail tests using subTest() or separate methods.
2026-04-11Refs #36953 -- Removed unnecessary overrides from mail tests.Mike Edmunds
Django automatically substitutes the locmem EmailBackend during tests, and SimpleTestCase empties mail.outbox before each test.
2026-04-10Fixed #37020 -- Removed guidance to edit fetched .po files by hand.Jacob Walls
Altering the .po files by hand was causing incorrect line numbers and plural forms. Since our fetching procedure does not recompile any hand-edited .po files to .mo files for production use, just accept Transifex's plural forms as a source of truth. https://forum.djangoproject.com/t/discourage-releasers-from-editing-po-files-by-hand/44441
2026-04-10Refs #37020 -- Corrected example command to update translation catalogs.Jacob Walls
Passing the --domain flag again just overwrites the prior value.
2026-04-09Fixed typo in docs/howto/delete-app.txt.Jonathan Wu
2026-04-08Refs #35440 -- Optimized parse_header_parameters() for the simplest case.Pravin Kamble
Added a fast-path to parse_header_parameters Benchmark results (50,000 iterations): - Simple headers: ~73% improvement Thanks Nick Pope (@ngnpope) for the review.
2026-04-08Refs CVE-2026-4292 -- Isolated new test in AdminViewListEditable.Jacob Walls
As originally written, this test interfered with admin_views.tests.SeleniumTests.test_inline_uuid_pk_add_with_popup. To fix this, register the new ModelAdmin with a different AdminSite.
2026-04-08Removed PY38 and PY39 version constants.Jacob Walls
As the oldest supported version is Django 5.2, we only need constants for PY310+.
2026-04-07Fixed #37021 -- Added Permission.user_perm_str property.mariatta
For use in checking user permissions via has_perm(). Co-authored-by: 사재혁 <jaehyuck.sa.dev@gmail.com>
2026-04-07Updated Apache links to the current docs.Mariusz Felisiak
2026-04-07Removed outdated note about uwsgi LTS from docs.Mariusz Felisiak
projects.unbit.it has an invalid certificate and provides old packages.
2026-04-07Fixed #36816 -- Allowed **kwargs in @task decorator.Nilesh Kumar Pahari
The decorator was updated to accept **kwargs and forward them to task_class, allowing additional parameters to be passed to custom Task subclasses.
2026-04-07Fixed two issues in release helper scripts/verify_release.sh.Natalia
The artifacts downloaded from media.djangoproject.com use a lowercase "django-" prefix but the script searched for capital D. Error was: "ls: cannot access 'Django-*.tar.gz': No such file or directory" The tarball and wheel smoke-tests used the same `test_one` folder inside the same working directory, so the second invocation failed with "CommandError: '/tmp/tmp.1234567890' already exists".
2026-04-07Refs CVE-2026-33034 -- Improved security documentation on handling large ↵Jake Howard
request bodies. Notably that the limit can be bypassed under ASGI.
2026-04-07Added CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, and ↵Jacob Walls
CVE-2026-33034 to security archive.
2026-04-07Added stub release notes for 6.0.5.Jacob Walls
2026-04-07Fixed CVE-2026-33034 -- Enforced DATA_UPLOAD_MAX_MEMORY_SIZE on body size in ↵Natalia
ASGI requests. The `body` property in `HttpRequest` checks DATA_UPLOAD_MAX_MEMORY_SIZE against the declared `Content-Length` header before reading. On the ASGI path, chunked requests carry no `Content-Length`, so the check evaluated to 0 and always passed regardless of the actual body size. This work adds a new check on the actual number of bytes consumed. Thanks to Superior for the report, and to Jake Howard and Jacob Walls for reviews.
2026-04-07Fixed CVE-2026-33033 -- Mitigated potential DoS in MultiPartParser.Natalia
When a multipart file part used `Content-Transfer-Encoding: base64` and the non-whitespace base64 bytes did not align to a multiple of 4 within a chunk, the parser entered a loop calling `field_stream.read(1-3)` once per whitespace byte. Each such call fetched the entire internal buffer, sliced off 1-3 bytes, and pushed the remainder back via unget(), doing an O(n) memory copy per call. A 2.5 MB payload of mostly whitespace produced CPU amplification relative to a normal upload of the same size. The alignment loop now reads `self._chunk_size` bytes at a time, and accumulates stripped parts in a list joined once at the end. Thanks to Seokchan Yoon for the report and the fixing patch.
2026-04-07Fixed CVE-2026-4292 -- Disallowed instance creation via ↵Jacob Walls
ModelAdmin.list_editable. Thanks Natalia Bidart, Jake Howard, and Markus Holtermann for reviews.
2026-04-07Fixed CVE-2026-4277 -- Checked add permissions in GenericInlineModelAdmin.Jacob Walls
Edit permissions were still checked as part of ordinary form validation, but because GenericInlineModelAdmin overrides get_formset(), it lacked InlineModelAdmin's dynamic DeleteProtectedModelForm.has_changed() logic for checking permissions server-side, leaving the add case unaddressed. This change reimplements the relevant part of InlineModelAdmin.get_formset(). Thanks N05ec@LZU-DSLab for the report, and Natalia Bidart, Markus Holtermann, and Simon Charette for reviews.
2026-04-07Fixed CVE-2026-3902 -- Ignored headers with underscores in ASGIRequest.Jacob Walls
Thanks Tarek Nakkouch for the report and Jake Howard and Natalia Bidart for reviews.
2026-04-06Fixed #37023 -- Made XML serializer put each ManyToManyField object on its ↵Tim Graham
own line.
2026-04-06Refs #37023 -- Removed hardcoded indent levels from XML serializer.Tim Graham
This facilitates nested fields and objects.
2026-04-06Fixed #37009 -- Fixed alignment of "Show/Hide counts" icons in admin changelist.kyb
2026-04-03Fixed #37016 -- Avoided propagating invalid arguments from When() to Q().varunkasyap
2026-04-03Refs #36949 -- Removed hardcoded pks in modeladmin tests.Tim Graham
2026-04-02Fixed #36973 -- Made fields.E348 check detect further clashes between ↵Clifford Gama
managers and related_names. Clashes were only detected for self-referential relationships, i.e. ForeignKey("self"). Refs #22977. Bug in 6888375c53476011754f778deabc6cdbfa327011. Thanks JaeHyuckSa for the thorough review!
2026-04-02Refs #36862 -- Reiterated security note on both variants of ↵Jacob Walls
RemoteUserMiddleware.
2026-04-02Fixed #20024 -- Fixed handling of __in lookups with None in exclude().Eddy Adegnandjou
Thanks Simon Charette and Tim Graham for reviews, and Jason Hall for a prior iteration.
2026-04-02Refs #20024 -- Tested __in lookups with None against composite pk fields.Eddy Adegnandjou
2026-04-02Fixed #36949 -- Improved RelatedFieldWidgetWrapper <label>s.David Smith
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-04-02Added section for respecting maintainer time to the security policy.Natalia
This follows a post from Seth Larson (Security Developer-in-Residence at the PSF): https://sethmlarson.dev/respecting-maintainer-time-should-be-in-security-policies
2026-04-02Fixed #36862 -- Doc'd the need for a proxy when deploying ↵Jacob Walls
RemoteUserMiddleware under ASGI. We have a flood of nuisance security reports describing ASGI deployments using RemoteUserMiddleware without a fronting proxy, which is not realistic.
2026-04-02Fixed #37017 -- Fixed setting or clearing of request.user after ↵Jacob Walls
alogin/alogout(). Regression in 31a43c571f4d036827d4fd7a5f615591637dc1be.
2026-04-01Fixed #37004 -- Used QuerySet.totally_ordered in ↵Rodrigo Vieira
BaseModelFormSet.get_queryset() for stable ordering.
2026-04-01Refs #37004 -- Added coverage for BaseModelFormSet.get_queryset() fallback ↵Rodrigo Vieira
ordering.
2026-03-31Fixed #36799 -- Added a how-to guide for testing pre-releases.VIZZARD-X
Thanks Sarah Boyce for the idea and Tim McCurrach for the review. Co-authored-by: Timothy McCurrach <tim.mccurrach@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-03-31Added stub release notes and release date for 6.0.4, 5.2.13, and 4.2.30.Jacob Walls
2026-03-30Refs #36770 -- Skipped test_in_memory_database_lock().Jacob Walls
Skip pending some investigation.
2026-03-30Refs #36770 -- Preferred addCleanup() in live server tests.Jacob Walls
2026-03-30Refs #36770 -- Guarded against an endless wait in LiveServerThread.terminate().Jacob Walls
terminate() shouldn't assume the main server was started. (A deadlock from mishandling of in-memory SQLite databases may have occurred.)
2026-03-30Refs #36926 -- Added release note for boolean icons for related fields in ↵Jacob Walls
list_display.
2026-03-28Fixed #29762 -- Doc'd how database routers fetch related objects.VIZZARD-X
Thanks James Bligh for the review. Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-03-28Refs #36526 -- Fixed bulk_update() batching example in docs.Georgios Verigakis
2026-03-27Corrected outdated links to gunicorn documentation.Sebastian Skonieczny
2026-03-26Refs #36913 -- Maintained error message determinism in ↵afenoum
MultipleChoiceField.validate(). Used Django's OrderedSet datastructure instead of set() in MultipleChoiceField.validate() to prevent submission ordering from being discarded during validation. Thanks to Jacob Walls, JaeHyuck Sa, Jake Howard and Simon Charette for the reviews.
2026-03-25Fixed #36993 -- Clarified N/A usage in pull request template for typo fixes.JaeHyuckSa
Signed-off-by: JaeHyuckSa <jaehyuck.sa.dev@gmail.com>
2026-03-25Fixed #36913 -- Optimized MultipleChoiceField.validate().afenoum