| Age | Commit message (Collapse) | Author |
|---|
|
Thanks to Tim Schilling for the review.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of c27d368b92f321e6f91704f554dccbc18df5b075 from main.
|
|
docs/topics/tasks.txt.
Backport of a328c355d9625ecdc8f16b249daebba3c0ac2882 from main.
|
|
Backport of 5b939808220fa879942303f4318276668d11b4d9 from main.
|
|
Backport of 62ab467686845e2a12a2580997a81d4bf61edfc6 from main.
|
|
Backport of 9b1745400b09293253158059e3a8fe407e5cc553 from main.
|
|
|
|
|
|
on file system object creation.
This fix introduces `safe_makedirs()` in the `os` utils as a safer
alternative to `os.makedirs()` that avoids umask-related race conditions
in multi-threaded environments.
This is a workaround for https://github.com/python/cpython/issues/86533
and the solution is based on the fix being proposed for CPython.
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Co-authored-by: Zackery Spytz <zspytz@gmail.com>
Refs CVE-2020-24583 and #31921.
Thanks Tarek Nakkouch for the report, and Jake Howard, Jacob Walls, and
Shai Berger for reviews.
Backport of 019e44f67a8dace67b786e2818938c8691132988 from main.
|
|
This simplicaftion mitigates a potential DoS in URLField on Windows. The
usage of `urlsplit()` in `URLField.to_python()` was replaced with
`str.partition(":")` for URL scheme detection. On Windows, `urlsplit()`
performs Unicode normalization which is slow for certain characters,
making `URLField` vulnerable to DoS via specially crafted POST payloads.
Thanks Seokchan Yoon for the report, and Jake Howard and Shai Berger
for the review.
Refs #36923.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 951ffb3832cd83ba672c1e3deae2bda128eb9cca from main.
|
|
imported by namespace.
Backport of c1d8646ec219b8b90ebdd463f40e5767876658a0 from main.
|
|
Follow up to 659bacfe54c2a28eb2e0589c1c721f1a99720ad2.
|
|
Backport of 3f21cb06e76044ad753055700395e54a1fc4f1e9 from main.
|
|
Backport of 1f2a56567c565d91d797b8a9071ff77a75b52080 from main.
|
|
Backport of 4aefc9ea51cc2d78f43b1dc2aa69732e55d18a56 from main.
|
|
handler.
Before, if no exception occurred, "None Type: None" was logged.
Backport of 497d9cdc67f0bdae929fcde677b5f441e94a6c8b from main.
|
|
references from HTML truncation docs.
Backport of bbc6818bc12f14c1764a7eb68556018195f56b59 from main.
|
|
https://github.com/psf/black/releases/tag/26.1.0
Backport of 6cff02078799b7c683a0d39630d49ab4fe532e7c from main.
|
|
Backport of acd0bec51366e259b4c2b43e4c09755541cdf560 from main.
|
|
Visual regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of 8d251b512bafd7b7f736cfcabeba0ae76106f2db from main.
|
|
BuiltinLookup.as_sql().
For custom lookups subclassing BuiltinLookup and following the advice in the release notes
to return params in a tuple, this change will obviate the need to audit as_sql() in addition to
process_lhs() to be "resilient against either tuples or lists" as described in the release note.
Regression in 8914f4703cf03e2a01683c4ba00f5ae7d3fa449d.
|
|
with deferred annotations.
Provide a wrapper for safe introspection of user functions on Python 3.14+.
Follow-up to 601914722956cc41f1f2c53972d669ddee6ffc04.
Backport of 56ed37e17e5b1a509aa68a0c797dcff34fcc1366 from main.
|
|
Backport of 2c2d36376a0ce0edc048c077a60be6e3b953bb09 from main.
|
|
As a side effect from adding explicit license files to conform to PEP 639, the
AUTHORS file got dropped from the wheel. The tarball still contained this file.
In the "Python Packaging User Guide"
(https://packaging.python.org/en/latest/guides/writing-pyproject-toml/#license-files)
the AUTHORS file is modeled to be included in license-files.
Follow-up to 96a7a652166bece8acc96d6335ebb8091de2f496.
Backport of 220db1c78a1bdeb3ccb91ba8bf0b7ab829379c35 from main.
|
|
It's not clear that CLAs are needed to ensure contributors are
assenting to our license (the "inbound=outbound" agreement),
but we can keep them around for contributors who would like to
(or are required by their employer) to submit one, without
investing additional resources in checking every single contribution.
See https://forum.djangoproject.com/t/cla-vs-dco-for-django-contributors/42399
and recent board minutes.
Backport of 0dac3dd4a1573b3c9cef3aea6a98440decfc5460 from main.
|
|
contrib.postgres.aggreggates.StringAgg.delimiter.
Backport of 3c09ed81d3e90d7ce60372096c58e80548d1d2ef from main.
|
|
installation docs.
Backport of 6c2436fa8671cd41c6a5841493142308cd9541c8 from main.
|
|
Backport of 13299a6203f4bc3e5b2552c96a51ff2b15da3c43 from main.
|
|
CVE-2026-1287, and CVE-2026-1312 to security archive.
Backport of af361d3be4725b9da1022c078b2db02b9d9b96e7 from main.
|
|
Backport of e7e43f1f91b5e4822ace888d85645eada8535daa from main.
|
|
|
|
|
|
aliases contain periods.
This prevents failures at the database layer, given that aliases in the
ON clause are not quoted.
Systematically quoting aliases even in FilteredRelation is tracked in
https://code.djangoproject.com/ticket/36795.
Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main.
|
|
aliases with periods.
Before, `order_by()` treated a period in a field name as a sign that it
was requested via `.extra(order_by=...)` and thus should be passed
through as raw table and column names, even if `extra()` was not used.
Since periods are permitted in aliases, this meant user-controlled
aliases could force the `order_by()` clause to resolve to a raw table
and column pair instead of the actual target field for the alias.
In practice, only `FilteredRelation` was affected, as the other
expressions we tested, e.g. `F`, aggressively optimize away the ordering
expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY
"table".column.
Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard
for reviews.
Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main.
|
|
aliases via control characters.
Control characters in FilteredRelation column aliases could be used for
SQL injection attacks. This affected QuerySet.annotate(), aggregate(),
extra(), values(), values_list(), and alias() when using dictionary
expansion with **kwargs.
Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls,
and Natalia Bidart for reviews.
Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main.
|
|
django.utils.text.Truncator for HTML input.
The `TruncateHTMLParser` used `deque.remove()` to remove tags from the
stack when processing end tags. With crafted input containing many
unmatched end tags, this caused repeated full scans of the tag stack,
leading to quadratic time complexity.
The fix uses LIFO semantics, only removing a tag from the stack when it
matches the most recently opened tag. This avoids linear scans for
unmatched end tags and reduces complexity to linear time.
Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161.
Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for
reviews.
Backport of a33540b3e20b5d759aa8b2e4b9ca0e8edd285344 from main.
|
|
lookups via band index.
Thanks Tarek Nakkouch for the report, and Simon Charette for the initial
triage and review.
Backport of 81aa5292967cd09319c45fe2c1a525ce7b6684d8 from main.
|
|
requests.
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
|
|
mod_wsgi auth handler.
Refs CVE-2024-39329, #20760.
Thanks Stackered for the report, and Jacob Walls and Markus Holtermann
for the reviews.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 3eb814e02a4c336866d4189fa0c24fd1875863ed from main.
|
|
Backport of d725f6856d7488ba2a397dfe47dd851420188159 from main.
|
|
<fieldset> in the admin.
Thanks Antoliny for the review.
Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
Backport of b665a67d61a8a4fd2ad85aeb77282bc49541723f from main.
|
|
Backport of 986f7f2098a2186b4085183951cbebae15220556 from main.
|
|
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222.
During INSERT operations, `field.pre_save()` is called to prepare values
for db insertion. The `add` param must be `True` for `auto_now_add`
fields to be populated. The regression commit passed `False`, causing
`auto_now_add` fields to remain `None` when used by other fields, such
as `upload_to` callables.
Thanks Ran Benita for the report.
Backport of fe189dc43ab3eddbbceefb6834893b73ca60d5ed from main.
|
|
Backport of b30e09a94270fdaa4bf282bf442b758c9a6d0bb0 from main.
|
|
the changelist.
Removed flex-wrap from .changelist-form-container and added min-width to the
main content container to ensure proper layout behavior.
Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
Backport of e92d1e3b7858981185e93d717c5727544d66b66e from main.
|
|
Backport of d6cca8b904de144946453aea93dd627c09abfca9 from main.
|
|
contributor docs.
Co-authored-by: James Bligh <blighj@users.noreply.github.com>
Backport of 07a16407452f5b62594661ae7ae589eca8cccd4d from main.
|
|
Field.pre_save() in 6.0 release notes.
Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
Backport of 924156072ecf61ef9cf50fa0d4d553a4c0d416c2 from main.
|
|
default_auto_field in packaging tutorial and AppConfig docs.
Backport of 091ffc4e5eb35776864b853973097588a36f169e from main.
|
|
docs/releases/6.0.1.txt and 5.2.10.txt.
Backport of 2be860d6cfb04c9b3643f7c31ce90df280c8e747 from main.
|
|
Co-authored-by: Jake Howard <git@theorangeone.net>
Backport of c08ed084f9651ab628dad83dd4459d9bba553e22 from main.
|
