summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2026-02-09Refs #36644 -- Documented no pk ordering in first()/last() after empty ↵Jacob Walls
order_by().
2026-02-09Fixed #36908 -- Removed unnecessary "fail_silently" param from quick example ↵SnippyCodes
in docs/topics/email.txt.
2026-02-09Refs #36036 -- Added note about z argument in GEOSCoordSeq.__init__().David Smith
When dropping support for GEOS 3.13 the `GEOSCoordSeq_hasZ()` function will be available on all supported GEOS versions. Instead of the parent geometry providing the z dimension we can reply on GEOSCoordSeq functions directly. This will follow a similar implementation to what was done for the M dimension. While it could be adopted earlier we would need to guess that geometries with 3 dimensions on GEOS < 3.14 are Z geometries.
2026-02-09Refs #36036 -- Added m dimension to GEOSCoordSeq.David Smith
2026-02-06Fixed #36246 -- Caught GDALException in BaseGeometryWidget.deserialize.JaeHyuck Sa
Signed-off-by: JaeHyuck Sa <wogur981208@gmail.com>
2026-02-06Fixed #36644 -- Enabled empty order_by() to avoid pk ordering by first()/last().Nilesh Kumar Pahari
2026-02-06Refs #36644 -- Applied default ordering after union().Nilesh Kumar Pahari
2026-02-06Fixed #36272 -- Removed obsolete libgeoip from GeoDjango installation docs.SnippyCodes
2026-02-05Refs #33579 -- Added extra tests for NotUpdated exception.Nick Pope
When `NotUpdated` was added in ab148c02cedbac492f29930dcd5346e1af052635, these additional tests that have equivalents for the `DoesNotExist` and `MultipleObjectsReturned` exceptions were missed.
2026-02-03Fixed #36898 -- Documented SessionBase.is_empty().jafarkhan83
2026-02-03Added CVE-2025-13473, CVE-2025-14550, CVE-2026-1207, CVE-2026-1285, ↵Jacob Walls
CVE-2026-1287, and CVE-2026-1312 to security archive.
2026-02-03Added stub release notes for 6.0.3.Jacob Walls
2026-02-03Refs CVE-2026-1312 -- Raised ValueError when FilteredRelation aliases ↵Jacob Walls
contain periods. This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795.
2026-02-03Fixed CVE-2026-1312 -- Protected order_by() from SQL injection via aliases ↵Jacob Walls
with periods. Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews.
2026-02-03Fixed CVE-2026-1287 -- Protected against SQL injection in column aliases via ↵Jake Howard
control characters. Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews.
2026-02-03Fixed CVE-2026-1285 -- Mitigated potential DoS in ↵Natalia
django.utils.text.Truncator for HTML input. The `TruncateHTMLParser` used `deque.remove()` to remove tags from the stack when processing end tags. With crafted input containing many unmatched end tags, this caused repeated full scans of the tag stack, leading to quadratic time complexity. The fix uses LIFO semantics, only removing a tag from the stack when it matches the most recently opened tag. This avoids linear scans for unmatched end tags and reduces complexity to linear time. Refs #30686 and 6ee37ada3241ed263d8d1c2901b030d964cbd161. Thanks Seokchan Yoon for the report, and Jake Howard and Jacob Walls for reviews.
2026-02-03Fixed CVE-2026-1207 -- Prevented SQL injections in RasterField lookups via ↵Jacob Walls
band index. Thanks Tarek Nakkouch for the report, and Simon Charette for the initial triage and review.
2026-02-03Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.Jake Howard
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and Shai Berger for reviews.
2026-02-03Fixed CVE-2025-13473 -- Standardized timing of check_password() in mod_wsgi ↵Jake Howard
auth handler. Refs CVE-2024-39329, #20760. Thanks Stackered for the report, and Jacob Walls and Markus Holtermann for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2026-02-03Fixed #36879 -- Identified Django client in Redis client metadata.ar3ph
2026-02-02Fixed line length in admin_views test_prepopulated_fields().Jacob Walls
2026-02-02Fixed #36893 -- Serialized elidable kwarg for RunSQL and RunPython operations.SnippyCodes
2026-02-02Fixed selenium tests in Firefox.Patryk Bratkowski
Unlike Chromium-based browsers, Firefox does not automatically scroll elements into view when using the Actions API with move_to_element. This calls the scrollIntoView function explicitly, which fixes some selenium tests when not running in headless mode.
2026-02-02Refs #36788 -- Added missing CSS selector for fieldsets in the admin.Jacob Walls
2026-02-02Fixed #36788 -- Fixed horizontal form field alignment under <fieldset> in ↵Jacob Walls
the admin. Thanks Antoliny for the review. Regression in 4187da258fe212d494cb578a0bc2b52c4979ab95.
2026-02-02Added missing quotes around nonce in docs/ref/csp.txt.Jacob Walls
2026-01-31Refs #36865 -- Fixed test_exact_lookup_validates_each_field_independently() ↵Jacob Walls
crash on databases that don't support primitives in JSONFields. For example on Oracle < 21c.
2026-01-31Added supports_expression_indexes skip to nulls_distinct test.Tim Graham
2026-01-31Refs #34118 -- Removed asgiref coroutine detection shims.Jacob Walls
As Python 3.12 is now the floor, we can drop the shims and use the `inspect` module.
2026-01-30Added documentation on reviewing patches.Tim Schilling
Original inspiration drawn from Sarah Boyce's talk: "Django needs you! (to do code review)"
2026-01-30Fixed typos in docs/ref/models/querysets.txt.Jacob Walls
2026-01-30Fixed #36468 -- Fixed failure to close popup when adding a related object in ↵Mark Niehues
the admin. The issue manifested when there were multiple relations and only some of them participated in a filter_horizontal. Regression in cd0479ff764272add5e0aba2afcf5649a241ca00.
2026-01-30Fixed #36865 -- Removed casting from exact lookups in admin searches.mlissner
Instead of casting non-text fields to CharField (which prevents index usage), skip exact lookups when the search term fails formfield.to_python(). This preserves index usage for valid searches while gracefully handling invalid search terms by simply not including them in the query for that field. For multi-term searches like 'foo 123' on search_fields=['name', 'age__exact']: - 'foo': invalid for age, so only name lookup is used - '123': valid for both, so both lookups are used This entails a slight increase in permissiveness for search terms that can be normalized by formfield.to_python().
2026-01-30Refs #36865 -- Added test for invalid value handling in admin changelist.mlissner
2026-01-29Fixed spell checking in docs GitHub Actions workflow.Natalia
The spelling check job was passing even with spelling errors because the system spell checker (`aspell`) was not installed on the GitHub Actions runner. While `sphinxcontrib.spelling` and `PyEnchant` were installed via pip, they require a system-level spell checker backend to function.
2026-01-29Made explicit that aspell is a requirement to run spell checks on docs.Natalia
2026-01-29Fixed docs spelling errors accumulated over time.Natalia
The `docs` GitHub action does not install `aspell` so the seplling checks are always passing in CI. After installing it, the following errors are reported: WARNING: internals/security.txt:50: : Spell check: runnable: Include a runnable proof of concept. WARNING: ref/contrib/postgres/search.txt:292: : Spell check: lexeme: an untrusted source. The content of each lexeme is escaped so that any. WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:295: : Spell check: lexemes: You can combine lexemes with other lexemes using the . WARNING: ref/contrib/postgres/search.txt:314: : Spell check: Lexeme: Lexeme objects also support term weighting and prefixes:. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/database-functions.txt:1897: : Spell check: ai: 23ai/26ai (23.9) or later.. WARNING: ref/models/expressions.txt:439: : Spell check: positionally: can be supplied positionally or only by keyword. For. WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1339: : Spell check: ai: PostgreSQL < 18 only supports persisted columns. Oracle < 23ai/26ai (23.7). WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: ref/models/fields.txt:1344: : Spell check: ai: s was added on Oracle 23ai/26ai. WARNING: releases/4.2.21.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.1.9.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/5.2.1.txt:24: : Spell check: unclosed: exception if it encounters an unusually large number of unclosed opening tags.. WARNING: releases/6.1.txt:244: : Spell check: mistyped: suggestions for mistyped subcommand names and argument choices.. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:281: : Spell check: ai: Oracle 23ai/26ai (23.7+).. WARNING: releases/6.1.txt:343: : Spell check: durations: durations expressed in weeks (. WARNING: Found 19 misspelled words build finished with problems, 20 warnings (with warnings treated as errors). This branch adds some of the words to the allowlist, but for others I chose to rephrase the text in a more approachable manner.
2026-01-29Fixed #36847 -- Ensured auto_now_add fields are set on pre_save().Nilesh Kumar Pahari
Regression in 94680437a45a71c70ca8bd2e68b72aa1e2eff337. Refs #27222. During INSERT operations, `field.pre_save()` is called to prepare values for db insertion. The `add` param must be `True` for `auto_now_add` fields to be populated. The regression commit passed `False`, causing `auto_now_add` fields to remain `None` when used by other fields, such as `upload_to` callables. Thanks Ran Benita for the report.
2026-01-28Fixed #36233 -- Avoided quantizing integers stored in DecimalField on SQLite.Samriddha9619
Co-authored-by: Simon Charette <charette.s@gmail.com> Co-authored-by: Jacob Walls <jacobtylerwalls@gmail.com>
2026-01-28Doc'd the minimum version of bash for releasing Django.Jacob Walls
2026-01-28Fixed #36878 -- Unified data type for *_together options in ModelState.Markus Holtermann
Ever since the beginning of Django's migration framework, there's been a bit of an inconsistency on how index_together and unique_together values have been stored on the ModelState[^1]. It's only really obvious, when looking at the current code for `from_model()`[^2] and the `rename_field()` state alteration code[^3]. The problem in the autodetector's detection of the `*_together` options as raised in the ticket, reinforces the inconsistency[^4]: the old value is being normalized to a set of tuples, whereas the new value is taken as-is. Why this hasn't been caught before, is likely to the fact, that we never really look at a `to_state` that comes from migration operations in the autodetector. Instead, in both usages in Django[^5], [^6] the `to_state` is a `ProjectState.from_apps()`. And that state is consistently using sets of tuples and not lists of lists. [^1]: https://github.com/django/django/commit/67dcea711e92025d0e8676b869b7ef15dbc6db73#diff-5dd147e9e978e645313dd99eab3a7bab1f1cb0a53e256843adb68aeed71e61dcR85-R87 [^2]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L842 [^3]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/state.py#L340-L345 [^4]: https://github.com/django/django/blob/b1ffa9a9d78b0c2c5ad6ed5a1d84e380d5cfd010/django/db/migrations/autodetector.py#L1757-L1771 [^5]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/makemigrations.py#L215-L219 [^6]: https://github.com/django/django/blob/2351c1b12cc9cf82d642f769c774bc3ea0cc4006/django/core/management/commands/migrate.py#L329-L332
2026-01-27Refs #35744 -- Removed problematic __in lookup in ↵Tim Graham
test_intersection_in_nested_subquery. It's problematic on MongoDB. Simon: "It seems odd that we'd use __in=OuterRef("pk") over __in=[OuterRef("pk")]. It's a SQLism that only works because right-hand-side is wrapped with (...) and that's interpreted as a singleton tuple which is allowed with IN."
2026-01-27Added stub release notes and release date for 6.0.2, 5.2.11, and 4.2.28.Jacob Walls
2026-01-26Fixed #36776 -- Clarified dev server runs in WSGI mode.jafarkhan83
2026-01-26Fixed #36883 -- Split monolithic aggregation regression tests.varunkasyap
2026-01-26Fixed #36850 -- Prevented admin filter sidebar from wrapping below the ↵Nilesh Kumar Pahari
changelist. Removed flex-wrap from .changelist-form-container and added min-width to the main content container to ensure proper layout behavior. Regression in 6ea331907996a51842da55c1f8d65eea7b367c7d.
2026-01-25Fixed #36812 -- Dropped support for MariaDB < 10.11.Skyiesac
2026-01-23Refs #33735 -- Coped with stacklevel change in ASGITest.test_file_response().Jacob Walls
Follow-up to c042fe3a74fb213c93b1052f7de4d99a6e6948e0. The original ignore was added in 0bd2c0c9015b53c41394a1c0989afbfd94dc2830 but was not adjusted when the stacklevel changed.
2026-01-23Refs #36620 -- Ran coverage tests workflow on forks.Jacob Walls
We can continue to limit the coverage comment workflow to django/django, but now that this workflow is the main python test workflow, it should run on forks by default. The other tests workflow (currently running only JavaScript tests) may start running python tests again once we flesh out the matrix, but since it was duplicating the coverage tests configuration, we temporarily removed it. Follow-up to 26b0e2bb92caf2d16cabe455792350f20d6f42ca.
2026-01-22Fixed #13883 -- Rendered named choice groups with <optgroup> in ↵seanhelvey
FilteredSelectMultiple. This patch adds support for <optgroup>s in FilteredSelectMultiple widgets. When a popup returns a new object, if the source field contains optgroup choices, the optgroup is now also included in the response data. Additionally, this adds error handling for invalid source_model parameters to prevent crashes and display user-friendly error messages instead. Co-authored-by: Michael McLarnon <mmclar@gmail.com>