| Age | Commit message (Collapse) | Author |
|
containing only whitespace in admin.
|
|
in BuiltinLookup.as_sql().
Instead of cherry-picking a larger changeset (787cc96ef6197d73c7d4ad96f25500910c399603)
and removing changes unsuitable for a backport, a partial backport was applied directly
to stable/6.0.x to resolve #36934, so the release note needs to be forwardported.
Forwardport of f9b820f8ac50aad025949087e660a551691832e4 from stable/6.0.x.
|
|
Thanks David Smith for report and Tim Graham for review.
|
|
Replaced outdated version of `default_key_func` in settings reference
with pointer to current version in cache topic. Rewrote description to
match parameter order and behavior of default implementation.
Co-authored-by: nessita <124304+nessita@users.noreply.github.com>
|
|
Co-authored-by: Clifford Gama <cliffygamy@gmail.com>
|
|
Thanks Simon Charette for the idea.
|
|
Explicitly set the text color for the admin M2M widget to ensure
selected rows remain readable in browsers like Microsoft Edge and
Firefox when the widget was not focused.
|
|
|
|
|
|
These tests were developed during work on MongoDB and capture edge cases
discovered there.
|
|
`DatabaseOperations.check_expression_support()`.
|
|
Avoided reconstructing the same tuples on every call by defining them as module-level constants.
|
|
These new cases have regex characters that must be escaped by backends
like MongoDB.
|
|
admin.
Regression in b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010.
|
|
|
|
|
|
This also removes the skip on the primary tests workflow so that
it runs more predictably.
|
|
|
|
|
|
deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
|
|
|
|
default delimiter.
|
|
|
|
As a side effect from adding explicit license files to conform to PEP 639, the
AUTHORS file got dropped from the wheel. The tarball still contained this file.
In the "Python Packaging User Guide"
(https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-files)
the AUTHORS file is modeled to be included in license-files.
Follow-up to 96a7a652166bece8acc96d6335ebb8091de2f496.
|
|
|
|
It's how Django formats values internally and makes tests compatible
with databases that use non-integer primary keys.
|
|
|
|
It's not clear that CLAs are needed to ensure contributors are
assenting to our license (the "inbound=outbound" agreement),
but we can keep them around for contributors who would like to
(or are required by their employer) to submit one, without
investing additional resources in checking every single contribution.
See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399
and recent board minutes.
|
|
contrib.postgres.aggreggates.StringAgg.delimiter.
|
|
Needed by MongoDB.
|
|
order_by().
|
|
in docs/topics/email.txt.
|
|
When dropping support for GEOS 3.13 the `GEOSCoordSeq_hasZ()` function will be available on all supported GEOS versions. Instead of the parent geometry providing the z dimension we can reply on GEOSCoordSeq functions directly. This will follow a similar implementation to what was done for the M dimension.
While it could be adopted earlier we would need to guess that geometries with 3 dimensions on GEOS < 3.14 are Z geometries.
|
|
|
|
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
|
|
|
|
|
|
|
|
When `NotUpdated` was added in ab148c02cedbac492f29930dcd5346e1af052635,
these additional tests that have equivalents for the `DoesNotExist` and
`MultipleObjectsReturned` exceptions were missed.
|
|
|
|
CVE-2026-1287, and CVE-2026-1312 to security archive.
|
|
|
|
contain periods.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
|
|
with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
|
|
control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
|
|
band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
|
|
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
|
|
auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
|
|
|